Docker is gone, and Podman is about to rise!

Introduction to Podman

What is Podman?

Podman is an open source container runtime project that can be used on most Linux platforms. Podman provides functions very similar to Docker. As mentioned earlier, it does not require any daemons to run on your system, and it can also run without root privileges.

Podman can manage and run any containers and container images that comply with OCI (Open Container Initiative) specifications. Podman provides a Docker-compatible command-line front end to manage Docker images.

Podman official website address: https://podman.io/

What is the main difference between Podman and Docker?

• When dockers implements CRI, it needs a daemon and secondly needs to run as root, so this also brings security risks.
• Podman does not need a daemon, nor does it need to be run by a root user. From the logical architecture, it is more reasonable than docker.
• In the docker operating system, multiple daemons are needed to call RunC, the implementation of OCI.
• In the link of container management, the implementation of Docker Engine is dockerd
• Daemon, it needs to run as root in linux, dockerd calls containerd, containerd calls containerd-shim, and then runC can be called. As the name suggests, the role of shim is "shim" to prevent the parent process from exiting and affecting the training of the container
• Podman directly calls OCI, runtime (runC), and uses common as a management tool for container processes, but does not require a daemon such as dockerd that runs as root.
• In the podman system, there is a daemon called common. Its running path is usually /usr/libexec/podman/conmon. It is the parent process of each container process. Each container has one. The common parent is usually It is process number 1. The common in podman is actually equivalent to the containerd-shim in the docker system.

The thing reflected in the figure is that podman does not require a daemon process, while dorker requires a daemon process . In this diagram, the containerd-shim of dorcker and the common of podman are grouped on the first level of Container.

What is the difference between the use of Podman and docker?

Podman's positioning is also compatible with docker, so use it as close as possible to docker. In terms of use, it can be divided into two aspects, one is the system builder's perspective, and the other is the user's perspective.

In terms of system builders, using podman's default software is not much different from docker, except in terms of process model and process relationship. If you are used to the debugging methods of docker's several associated processes, you need to adapt in podman. You can view the tree structure of the process through the pstree command. Overall, podman is simpler than docker. Since podman has a layer of daemon less than docker, the restart mechanism is also different.

On the user side, podman and docker commands are basically compatible, including container runtime (run/start/kill/ps/inspect), local mirror (images/rmi/build), mirror warehouse (login/pull/push), etc. several aspects. Therefore, podman's command-line tools are similar to docker, such as building images, starting and stopping containers, etc. It can even be replaced alias docker=podman Therefore, even if you use podman, you can still use docker.io as a mirror repository, which is also the most critical part of compatibility.

Common Podman commands

container

podman run           创建并启动容器
podman start       #启动容器
podman ps          #查看容器
podman stop        #终止容器
podman restart     #重启容器
podman attach      #进入容器
podman exec        #进入容器
podman export      #导出容器
podman import      #导入容器快照
podman rm          #删除容器
podman logs        #查看日志

Mirror image

podman search             #检索镜像
docke pull                #获取镜像
podman images             #列出镜像
podman image Is           #列出镜像
podman rmi                #删除镜像
podman image rm           #删除镜像
podman save               #导出镜像
podman load               #导入镜像
podmanfile                #定制镜像（三个）
    podman build              #构建镜像
    podman run              #运行镜像
    podmanfile              #常用指令（四个）
        COPY                    #复制文件
        ADD                     #高级复制
        CMD                     #容器启动命令
        ENV                     #环境变量
        EXPOSE                  #暴露端口

Deploy Podman

//安装podman
[root@localhost ~]# yum -y install podman

//仓库配置
[root@localhost ~]# vim /etc/containers/registries.conf
[registries.search]
registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io'] //这个是查找，从这三个地方查找，如果只留一个，则只在一个源里查找
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] //这里也要改为一个

[registries.insecure]
registries = [10.0.0.1]   //这里写那些http的仓库，比如harbor

//配置加速器
[registries.search]
registries = ['https://l9h8fu9j.mirror.aliyuncs.com','docker.io']

Use Podman

Using Podman is very simple, and most of the instructions of Podman are the same as those of Docker. Let's look at a few commonly used examples:

Run a container

[root@localhost ~]# podman run -d --name httpd docker.io/library/httpd
Trying to pull docker.io/library/httpd...
Getting image source signatures
Copying blob e5ae68f74026 done  
Copying blob d3576f2b6317 done  
Copying blob bc36ee1127ec done  
Copying blob f1aa5f54b226 done  
Copying blob aa379c0cedc2 done  
Copying config ea28e1b82f done  
Writing manifest to image destination
Storing signatures
0492e405b9ecb05e6e6be1fec0ac1a8b6ba3ff949df259b45146037b5f355035

//查看镜像
[root@localhost ~]# podman images
REPOSITORY                  TAG      IMAGE ID       CREATED       SIZE
docker.io/library/httpd     latest   ea28e1b82f31   11 days ago   148 MB

List running containers

[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                             COMMAND           CREATED             STATUS                 PORTS  NAMES
0492e405b9ec  docker.io/library/httpd:latest    httpd-foreground  About a minute ago  Up About a minute ago         httpd

Note : If you add -a to the ps command, Podman will display all containers.

Check the running container

You can "check" the metadata of the running container and detailed information about itself. We can even use the inspect subcommand to view the IP address assigned to the container. Since the container is running in rootless mode, no IP address is assigned, and the value will be listed as "None" in the output of the inspection.

[root@localhost ~]# podman inspect -l | grep IPAddress\": 
            "SecondaryIPAddresses": null, 
            "IPAddress": "10.88.0.5",

[root@localhost ~]# curl 10.88.0.5
<html><body><h1>It works!</h1></body></html>

Note : -l is a convenience parameter for the latest container. You can also use the ID of the container instead of -l.

View the log of a running container

选项
    --latest        #最近的
    
[root@localhost ~]# podman logs --latest
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.5. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.5. Set the 'ServerName' directive globally to suppress this message
[Mon Dec 13 15:17:53.690844 2021] [mpm_event:notice] [pid 1:tid 140665160166720] AH00489: Apache/2.4.51 (Unix) configured -- resuming normal operations
[Mon Dec 13 15:17:53.690946 2021] [core:notice] [pid 1:tid 140665160166720] AH00094: Command line: 'httpd -D FOREGROUND'
10.88.0.1 - - [13/Dec/2021:15:19:48 +0000] "GET / HTTP/1.1" 200 45
10.88.0.1 - - [13/Dec/2021:15:20:47 +0000] "GET / HTTP/1.1" 200 45

View process resource usage in a running container

You can use top to observe the nginx pid in the container

grammar:

    podman top <container_id>  

[root@localhost ~]# podman top httpd
USER       PID   PPID   %CPU    ELAPSED            TTY   TIME   COMMAND
root       1     0      0.000   15m38.599711321s   ?     0s     httpd -DFOREGROUND 
www-data   7     1      0.000   15m38.599783256s   ?     0s     httpd -DFOREGROUND 
www-data   8     1      0.000   15m38.599845342s   ?     0s     httpd -DFOREGROUND 
www-data   9     1      0.000   15m38.599880444s   ?     0s     httpd -DFOREGROUND 

Stop a running container

[root@localhost ~]# podman stop --latest
2f3edf712621d3a41e03fa8c7f6a5cdba56fbbad43a7a59ede26cc88f31006c4
[root@localhost ~]# podman ps
CONTAINER ID  IMAGE  COMMAND  CREATED  STATUS  PORTS  NAMES

Delete a container

[root@localhost ~]# podman rm --latest
2f3edf712621d3a41e03fa8c7f6a5cdba56fbbad43a7a59ede26cc88f31006c4
[root@localhost ~]# podman ps -a
CONTAINER ID  IMAGE  COMMAND  CREATED  STATUS  PORTS  NAMES

above features of 161c93349b83db are basically the same as Docker. In addition to being compatible with these features, Podman also supports some new features.

Upload image

For example, if we want to share our newly created Nginx container image on docker.io, it is easy. First log in to the dock:

[root@localhost nginx]# tree 
.
├── Dockerfile
└── files
    └── nginx-1.20.1.tar.gz

[root@localhost nginx]# cat Dockerfile 
FROM docker.io/library/centos

ENV PATH /usr/local/nginx/sbin:$PATH
ADD files/nginx-1.20.1.tar.gz /usr/src
RUN useradd -r -M -s /sbin/nologin nginx && \
    yum -y install pcre-devel openssl openssl-devel gd-devel gcc gcc-c++ make && \
    mkdir -p /var/log/nginx && \
    cd /usr/src/nginx-1.20.1 && \
    ./configure \
    --prefix=/usr/local/nginx \
    --user=nginx \
    --group=nginx \
    --with-debug \
    --with-http_ssl_module \
    --with-http_realip_module \
    --with-http_image_filter_module \
    --with-http_gunzip_module \
    --with-http_gzip_static_module \
    --with-http_stub_status_module \
    --http-log-path=/var/log/nginx/access.log \
    --error-log-path=/var/log/nginx/error.log && \
  make && make install

CMD ["nginx","-g","daemon off"]
[root@localhost nginx]# podman build -t nginx .

// 修改镜像名
 [root@localhost ~]# podman tag docker.io/library/nginx:latest docker.io/1314444/test:latest

// 登录并上传镜像
[root@localhost ~]# podman login docker.io // 需要告诉其要登录到docker仓库
[root@localhost ~]# podman login docker.io
Username: 1314444        #账户
Password: ********        #密码
Login Succeeded!

[root@localhost nginx]# podman push docker.io/1314444/test:latest  //上传镜像
Getting image source signatures
Copying blob 38c40d6c2c85 done
Copying blob fee76a531659 done
Copying blob c2adabaecedb done
Copying config 7f3589c0b8 done
Writing manifest to image destination
Copying config 7f3589c0b8 done
Writing manifest to image destination
Storing signatures


//请注意，我们将四层推送到我们的注册表，现在可供其他人共享。快速浏览一下：
[root@localhost ~]# podman inspect 1314444/test:nginx
//输出：
[
    {
        "Id": "7f3589c0b8849a9e1ff52ceb0fcea2390e2731db9d1a7358c2f5fad216a48263",
        "Digest": "sha256:7822b5ba4c2eaabdd0ff3812277cfafa8a25527d1e234be028ed381a43ad5498",
        "RepoTags": [
            "docker.io/1314444/test:nginx",
        ......

All in all, Podman makes it easy to find, run, build and share containers .

Configure alias

If you are used to using Docker commands, you can directly configure an alias for Podman to achieve seamless transfer. You only need to add the following line under .bashrc:

[root@localhost ~]# echo "alias docker=podman" >> .bashrc
source .bashrc
[root@localhost ~]# alias
alias cp='cp -i'
alias docker='podman'
.......

User action

Before allowing users without root privileges to run Podman, the administrator must install or build Podman and complete the following configuration.

The cgroup V2Linux kernel function allows users to limit the resources that ordinary user containers can use. If you use cgroupV2 to enable the Linux distribution running Podman, you may need to change the default OCI runtime. Some older versions of runc are not suitable for cgroupV2 and must be switched to the standby OCI runtime crun.

[root@localhost ~]# yum -y install crun     //centos8系统自带

[root@localhost ~]# vi /usr/share/containers/containers.conf 
    446 # Default OCI runtime
    447 # 
    448 runtime = "crun"      //取消注释并将runc改为crun

[root@localhost ~]# podman run -d --name web -p 80:80 docker.io/library/nginx
c8664d2e43c872e1e5219f82d41f63048ed3a5ed4fb6259c225a14d6c243677f

[root@localhost ~]# podman inspect web | grep crun
        "OCIRuntime": "crun",
            "crun",

Install slirp4netns and fuse-overlayfs

When using Podman in an ordinary user environment, it is recommended to use fuse-overlayfs instead of the VFS file system. At least version 0.7.6 is required. Now the new version is the default.

[root@localhost ~]# yum -y install slirp4netns

[root@localhost ~]# yum -y install fuse-overlayfs
[root@localhost ~]# vi /etc/containers/storage.conf
77 mount_program = "/usr/bin/fuse-overlayfs"     //取消注释

/etc/subuid and /etc/subgid configuration

Podman requires the user who runs it /etc/subuid and /etc/subgid files, and the shadow-utils or newuid package provides these files

[root@localhost ~]# yum -y install shadow-utils

It can be viewed in /etc/subuid and /etc/subgid, and the value of each user must be unique without any overlap.

[root@localhost ~]# useradd zz
[root@localhost ~]# cat /etc/subuid
zz:100000:65536
[root@localhost ~]# cat /etc/subgid
zz:100000:65536

// 启动非特权ping 
[root@localhost ~]# sysctl -w "net.ipv4.ping_group_range=0 200000" //大于100000这个就表示tom可以操作podman
net.ipv4.ping_group_range = 0 200000

The format of this file is USERNAME:UID:RANGE

• The user name listed in /etc/passwd or getpwent in the output.
• The initial UID assigned to the user.
• The size of the UID range allocated to the user.

The usermod program can be used to assign UID and GID to users instead of directly updating files.

[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 hh
grep hh /etc/subuid /etc/subgid
/etc/subuid:hh:200000:1001
/etc/subgid:hh:200000:1001

User profile

The three main configuration files are container.conf、storage.conf and registries.conf . Users can modify these files as needed.

• container.conf

  // 用户配置文件
  [root@localhost ~]# cat /usr/share/containers/containers.conf
  [root@localhost ~]# cat /etc/containers/containers.conf
  [root@localhost ~]# cat ~/.config/containers/containers.conf  //优先级最高

  If they exist in that order. Each file can overwrite the previous file for a specific field.

• Configure storage.conf file

  1./etc/containers/storage.conf
  2.$HOME/.config/containers/storage.conf

  Some fields of /etc/containers/storage.conf will be ignored in ordinary users

  [root@localhost ~]#  vi /etc/containers/storage.conf
  [storage]
  
  # Default Storage Driver, Must be set for proper operation.
  driver = "overlay"        #此处改为overlay
  .......
  mount_program = "/usr/bin/fuse-overlayfs"        #取消注释
  
  [root@localhost ~]# sysctl user.max_user_namespaces=15000  #如果版本为8以下，则需要做以下操作：

  In ordinary users, these fields default

  graphroot="$HOME/.local/share/containers/storage"
  runroot="$XDG_RUNTIME_DIR/containers"

• registries.conf

The configuration is read in this order. These files are not created by default. You can copy the file /etc/containers from /usr/share/containers and modify it.

1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf

Authorization file

The password of the docker account is written in this file, which is displayed in an encrypted manner

[root@localhost ~]# podman login
Username: 1314444
Password: 
Login Succeeded!
[root@localhost ~]# cat /run/user/0/containers/auth.json 
{
        "auths": {
                "registry.fedoraproject.org": {
                        "auth": "MTMxNDQ0NDpIMjAxNy0xOA=="
                }
        }
}

Ordinary users cannot see the mirror of the root user

//root用户
[root@localhost ~]# podman images
REPOSITORY                  TAG      IMAGE ID       CREATED       SIZE
docker.io/library/httpd     latest   ea28e1b82f31   11 days ago   146 MB

//普通用户
[root@localhost ~]# su - zz
[zz@localhost ~]$ podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE

roll

• The container runs with the root user, and the users in the root container are actually users on the host.
• UID GID is the first UID GID specified in the user mapping in /etc/subuid and /etc/subgid.
• If you mount the identity of a normal user into the container from the host directory and create a file in that directory as the root user, you will see that it is actually owned by your user on the host.

Use volume

[root@localhost ~]# su - zz
[zz@localhost ~]$ pwd
/home/zz
[zz@localhost ~]$ mkdir /home/zz/data

[zz@localhost ~]$ podman run -it -v "$(pwd)"/data:/data docker.io/library/busybox /bin/sh
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 3cb635b06aa2 done  
Copying config ffe9d497c3 done  
Writing manifest to image destination
Storing signatures
/ # ls
bin   data  dev   etc   home  proc  root  run   sys   tmp   usr   var
/ # cd data/
/data # ls
/data # touch 123
/data # ls -l
total 0
-rw-r--r--    1 root     root             0 Dec 13 00:17 123

View on the host

[zz@localhost ~]$ ll data/
总用量 0
-rw-r--r-- 1 zz zz 0 12月 13 00:17 123

//写入文件
[zz@localhost ~]$ echo "hell world" >> 123
[zz@localhost ~]$ cat 123
hell world

View in container

/data # cat 123
hell world

//我们可以发现在容器里面的文件的属主和属组都属于root，那么如何才能让其属于tom用户呢？下面告诉你答案
/data # ls -l
total 4
-rw-rw-r--    1 root     root            12 Dec 13 00:20 123

//只要在运行容器的时候加上一个--userns=keep-id即可。
[zz@localhost ~]$ podman run -it --name test -v "$(pwd)"/data:/data --userns=keep-id docker.io/library/busybox /bin/sh
~ $ cd data/
/data $ ls -l
total 4
-rw-r--r--    1 zz       zz              11 Dec 13 00:21 123

"Permission denied" error will be reported when using normal user to map container port

[zz@localhost ~]$ podman run  -d -p 80:80 httpd
Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied

Ordinary users can map ports >= 1024

[zz@localhost ~]$ podman run  -d -p 1024:80 httpd
58613a6bdc70d4d4f9f624583f795a62a610596d166f0873bdff8fb26aa15092
[zz@localhost ~]$ ss -anlt
State       Recv-Q      Send-Q           Local Address:Port           Peer Address:Port      Process      
LISTEN      0           128                    0.0.0.0:22                  0.0.0.0:*                      
LISTEN      0           128                          *:1024                      *:*                      
LISTEN      0           128                       [::]:22                     [::]:* 

After configuring echo ‘net.ipv4.ip_unprivileged_port_start=80’ >> /etc/sysctl.conf , you can map ports greater than or equal to 80

[root@localhost ~]# echo  'net.ipv4.ip_unprivileged_port_start=80'  >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.ip_unprivileged_port_start = 80

[zz@localhost ~]$ podman run -d -p 80:80 httpd
1215455a0c300d78e7bf6afaefc9873f818c6b0f26affeee4e2bc17954e72d8e
[zz@localhost ~]$ ss -anlt
State       Recv-Q      Send-Q           Local Address:Port           Peer Address:Port      Process      
LISTEN      0           128                    0.0.0.0:22                  0.0.0.0:*                      
LISTEN      0           128                          *:1024                      *:*                      
LISTEN      0           128                          *:80                        *:*                      
LISTEN      0           128                       [::]:22                     [::]:*  

Link: https://blog.csdn.net/qq_48289488/article/details/121905018