网络设置
首先定义一个别名,podman等于docker
[root@localhost ~]# alias docker=podman [root@localhost ~]# alias alias cp='cp -i' alias docker='podman' alias egrep='egrep --color=auto' alias fgrep='fgrep --color=auto' alias grep='grep --color=auto' alias l.='ls -d .* --color=auto' alias ll='ls -l --color=auto' alias ls='ls --color=auto' alias mv='mv -i' 操作两个容器 [root@localhost ~]# podman run -it docker.io/library/busybox /bin/sh / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 26:58:16:91:12:ec brd ff:ff:ff:ff:ff:ff inet
10.88
.0
.4
/
16 brd
10.88
.255
.255 scope
global eth0 valid_lft forever preferred_lft forever inet6 fe80
:
:
2458
:
16ff
:fe91
:
12ec
/
64 scope link valid_lft forever preferred_lft forever
[root@localhost
~
]
# podman run -it docker.io/library/busybox /bin/sh
/
# ip a
1
: lo
:
<LOOPBACK
,UP
,LOWER_UP
> mtu
65536 qdisc noqueue qlen
1000 link
/loopback
00
:
00
:
00
:
00
:
00
:
00 brd
00
:
00
:
00
:
00
:
00
:
00 inet
127.0
.0
.1
/
8 scope host lo valid_lft forever preferred_lft forever inet6
:
:
1
/
128 scope host valid_lft forever preferred_lft forever
2
: eth0@if7
:
<BROADCAST
,MULTICAST
,UP
,LOWER_UP
,M
-DOWN
> mtu
1500 qdisc noqueue link
/ether
0e
:
7d
:ed
:
07
:a5
:f5 brd ff
:ff
:ff
:ff
:ff
:ff inet
10.88
.0
.5
/
16 brd
10.88
.255
.255 scope
global eth0 valid_lft forever preferred_lft forever inet6 fe80
:
:c7d
:edff
:fe07
:a5f5
/
64 scope link valid_lft forever preferred_lft forever ping能ping通
/
# ping 10.88.0.4 PING
10.88
.0
.4
(
10.88
.0
.4
)
:
56 data
bytes
64
bytes
from
10.88
.0
.4
: seq
=
0 ttl
=
64 time
=
0.282 ms
64
bytes
from
10.88
.0
.4
: seq
=
1 ttl
=
64 time
=
0.111 ms
64
bytes
from
10.88
.0
.4
: seq
=
2 ttl
=
64 time
=
0.292 ms
64
bytes
from
10.88
.0
.4
: seq
=
3 ttl
=
64 time
=
0.112 ms cni:Container Network Interface(容器网络接口) 容器启动时会生成网卡,容器退出后网卡也会没有,但cni网卡依然存在 退出一个后查看
[root@localhost
~
]
# ip a
1
: lo
:
<LOOPBACK
,UP
,LOWER_UP
> mtu
65536 qdisc noqueue state UNKNOWN group default qlen
1000 link
/loopback
00
:
00
:
00
:
00
:
00
:
00 brd
00
:
00
:
00
:
00
:
00
:
00 inet
127.0
.0
.1
/
8 scope host lo valid_lft forever preferred_lft forever inet6
:
:
1
/
128 scope host valid_lft forever preferred_lft forever
2
: ens33
:
<BROADCAST
,MULTICAST
,UP
,LOWER_UP
> mtu
1500 qdisc fq_codel state UP group default qlen
1000 link
/ether
00
:
0c
:
29
:
19
:
97
:fc brd ff
:ff
:ff
:ff
:ff
:ff inet
192.168
.230
.131
/
24 brd
192.168
.230
.255 scope
global dynamic noprefixroute ens33 valid_lft 1392sec preferred_lft 1392sec inet6 fe80
:
:
79e
:
97ea
:
8434
:
8f2d
/
64 scope link noprefixroute valid_lft forever preferred_lft forever
3
: cni
-podman0
:
<BROADCAST
,MULTICAST
,UP
,LOWER_UP
> mtu
1500 qdisc noqueue state UP group default qlen
1000 link
/ether
82
:f8
:
1b
:
6e
:
15
:
5e brd ff
:ff
:ff
:ff
:ff
:ff inet
10.88
.0
.1
/
16 brd
10.88
.255
.255 scope
global cni
-podman0 valid_lft forever preferred_lft forever inet6 fe80
:
:
80f8
:
1bff
:fe6e
:
155e
/
64 scope link valid_lft forever preferred_lft forever
5
: vethb8e774f4@if2
:
<BROADCAST
,MULTICAST
,UP
,LOWER_UP
> mtu
1500 qdisc noqueue master cni
-podman0 state UP group default link
/ether
1a
:c3
:
3e
:
38
:
2c
:fc brd ff
:ff
:ff
:ff
:ff
:ff link
-netns cni
-
952943fc
-dcd0
-
8b58
-
7455
-
923a5632fb71 inet6 fe80
:
:
18c3
:
3eff
:fe38
:
2cfc
/
64 scope link valid_lft forever preferred_lft forever
6
: vethfe2c3172@if2
:
<BROADCAST
,MULTICAST
,UP
,LOWER_UP
> mtu
1500 qdisc noqueue master cni
-podman0 state UP group default link
/ether
1a
:c6
:db
:d2
:
54
:cc brd ff
:ff
:ff
:ff
:ff
:ff link
-netns cni
-
1eafc5f1
-
5fd1
-
2c0f
-
0f41
-
56bce1e42b59 inet6 fe80
:
:
18c6
:dbff
:fed2
:
54cc
/
64 scope link valid_lft forever preferred_lft forever 退出两个容器后查看
[root@localhost
~
]
# ip a
1
: lo
:
<LOOPBACK
,UP
,LOWER_UP
> mtu
65536 qdisc noqueue state UNKNOWN group default qlen
1000 link
/loopback
00
:
00
:
00
:
00
:
00
:
00 brd
00
:
00
:
00
:
00
:
00
:
00 inet
127.0
.0
.1
/
8 scope host lo valid_lft forever preferred_lft forever inet6
:
:
1
/
128 scope host valid_lft forever preferred_lft forever
2
: ens33
:
<BROADCAST
,MULTICAST
,UP
,LOWER_UP
> mtu
1500 qdisc fq_codel state UP group default qlen
1000 link
/ether
00
:
0c
:
29
:
19
:
97
:fc brd ff
:ff
:ff
:ff
:ff
:ff inet
192.168
.230
.131
/
24 brd
192.168
.230
.255 scope
global dynamic noprefixroute ens33 valid_lft 1364sec preferred_lft 1364sec inet6 fe80
:
:
79e
:
97ea
:
8434
:
8f2d
/
64 scope link noprefixroute valid_lft forever preferred_lft forever
3
: cni
-podman0
:
<BROADCAST
,MULTICAST
,UP
,LOWER_UP
> mtu
1500 qdisc noqueue state UP group default qlen
1000 link
/ether
82
:f8
:
1b
:
6e
:
15
:
5e brd ff
:ff
:ff
:ff
:ff
:ff inet
10.88
.0
.1
/
16 brd
10.88
.255
.255 scope
global cni
-podman0 valid_lft forever preferred_lft forever inet6 fe80
:
:
80f8
:
1bff
:fe6e
:
155e
/
64 scope link valid_lft forever preferred_lft forever
5
: vethb8e774f4@if2
:
<BROADCAST
,MULTICAST
,UP
,LOWER_UP
> mtu
1500 qdisc noqueue master cni
-podman0 state UP group default link
/ether
1a
:c3
:
3e
:
38
:
2c
:fc brd ff
:ff
:ff
:ff
:ff
:ff link
-netns cni
-
952943fc
-dcd0
-
8b58
-
7455
-
923a5632fb71 inet6 fe80
:
:
18c3
:
3eff
:fe38
:
2cfc
/
64 scope link valid_lft forever preferred_lft forever
podman防火墙规则
查看防火墙规则,现在没有规则
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts、 bytes target prot opt in out source destination
运行一个容器,映射80端口
[root@localhost ~]# podman run -d -p 80:80 --name web docker.io/library/httpd
a025fd306b83c2f9119b1b61be5982cad60840482183f4284168354256cb46aa
查看端口映射
[root@localhost ~]# podman port web
80/tcp -> 0.0.0.0:80
查看防火墙规则
[root@localhost ~]# iptables -t nat -nvL
Chain CNI-807cc9c30b332fae8a5f041a (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "7fa2fc2390f81018f72606bfd586cc776b091aeedf0a40f816e39a88248e81a0" */
查看IP能访问
[root@localhost ~]# podman inspect -l|grep -i address
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "76:45:02:92:6b:83",
"LinkLocalIPv6Address": "",
"IPAddress": "10.88.0.4",
"GlobalIPv6Address": "",
"MacAddress": "76:45:02:92:6b:83",
[root@localhost ~]# curl 10.88.0.4
<html><body><h1>It works!</h1></body></html>
清空防火墙规则
[root@localhost ~]# iptables --flush #刷新
[root@localhost ~]# iptables -t nat -F #指定表清空
[root@localhost ~]# iptables -t nat -nvL #规则已被清空
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
规则删除后发现访问不了
[root@localhost ~]# curl 10.88.0.4
curl: (7) Failed to connect to 10.88.0.4 port 80: 没有到主机的路由
//使用podman network reload 命令重新加载,规则存在
[root@localhost ~]# podman network reload web
7fa2fc2390f81018f72606bfd586cc776b091aeedf0a40f816e39a88248e81a0
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
配置文件
podman的桥配置文件,容器里面的IP可通过这个控制
[root@localhost ~]# cat /etc/cni/net.d/87-podman.conflist
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"type": "bridge", #模式
"bridge": "cni-podman0", #桥的名字
"isGateway": true, #是不是网关
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [{
"dst": "0.0.0.0/0" }],
"ranges": [
[
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
}
]
]
}
},
{
"type": "portmap", #端口映射
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall"
},
{
"type": "tuning"
}
]
}
查看子命令的用法
查看attach这个子命令的用法
[root@localhost ~]# man podman-attach
EXAMPLES
Attach to a container called "foobar".
$ podman attach foobar
Attach to the latest created container.
$ podman attach --latest
Attach to a container that start with the ID "1234".
$ podman attach 1234
Attach to a container without attaching STDIN.
$ podman attach --no-stdin foobar
SEE ALSO
podman(1), podman-exec(1), podman-run(1),
containers.conf(5)
~
~
/EXAMPLE #可在下面搜索例子
基础命令
指定镜像做的历史
[root@localhost ~]# podman history docker.io/library/busybox
ID CREATED CREATED BY SIZE COMMENT
ffe9d497c324 6 days ago /bin/sh -c #(nop) CMD ["sh"] 0 B
<missing> 6 days ago /bin/sh -c #(nop) ADD file:e2d2d9591696b14... 1.46 MB
使用iamge管理镜像,使用images看镜像
[root@localhost ~]# podman image --help
Manage images
Description:
Manage images
Usage:
podman image [command]
Available Commands:
build Build an image using instructions from Containerfiles
diff Inspect changes to the image's file systems
exists Check if an image exists in local storage
history Show history of a specified image
import Import a tarball to create a filesystem image
inspect Display the configuration of an image
list List images in local storage
load Load image(s) from a tar archive
mount Mount an image's root filesystem
prune Remove unused images
pull Pull an image from a registry
push Push an image to a specified destination
rm Removes one or more images from local storage
save Save image(s) to an archive
scp securely copy images
search Search registry for image
sign Sign an image
tag Add an additional name to a local image
tree Prints layer hierarchy of an image in a tree format
trust Manage container image trust policy
unmount Unmount an image's root filesystem
untag Remove a name from a local image
查看镜像有几层
[root@localhost ~]# podman image tree docker.io/1163582076/nginx
Image ID: 499e5864a512
Tags: [docker.io/library/nginx:latest docker.io/1163582076/nginx:latest]
Size: 565.5MB
Image Layers
├── ID: 74ddd0ec08fa Size: 238.6MB Top Layer of: [docker.io/library/centos:latest]
├── ID: 3b740b0b2497 Size: 6.723MB
└── ID: c774a42000a1 Size: 320.2MB Top Layer of: [docker.io/library/nginx:latest docker.io/1163582076/nginx:latest]
查看详细信息
[root@localhost ~]# podman info
host:
arch: amd64
buildahVersion: 1.23.1
cgroupControllers:
- cpuset
- cpu
- cpuacct
- blkio
- memory
- devices
- freezer
- net_cls
- perf_event
- net_prio
- hugetlb
- pids
- rdma
cgroupManager: systemd
cgroupVersion: v1
conmon:
package: conmon-2.0.30-1.module_el8.6.0+944+d413f95e.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.30, commit: e28f6ed9f4a6f18e27f3efdab92de483806e6b9c'
podman容器的开机自启:
实例:
[root@localhost ~]# podman create --name nginx nginx:latest 84820a649b74774dc429bd80a5d00b196704a632b6bf7aaa961a293b51b62799 [root@localhost ~]# podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 84820a649b74 docker.io/library/nginx:latest nginx -g daemon o... 8 seconds ago Created nginx 方法一: 设置了一个开机自启,如果1秒都没起来就超时了(只是生成) [root@localhost ~]# podman generate systemd --restart-policy=always -t 1 nginx # container-84820a649b74774dc429bd80a5d00b196704a632b6bf7aaa961a293b51b62799.service # autogenerated by Podman 3.4.1-dev # Tue Dec 14 18:43:15 CST 2021 [Unit] Description=Podman container-84820a649b74774dc429bd80a5d00b196704a632b6bf7aaa961a293b51b62799.service Documentation=man:podman-generate-systemd(1) Wants=network-online.target After=network-online.target RequiresMountsFor=/run/containers/storage [Service] Environment=PODMAN_SYSTEMD_UNIT=%n Restart=always TimeoutStopSec