podman [1] getting started guide

What is podman

Podman Is an open source Linux native tool without daemons designed to use the open container initiative( OCI )Containers and Container image Easily find, run, build, share, and deploy applications. Podman provides a command line interface (CLI) familiar to anyone who has used the Docker container engine. Most users can simply alias Docker as podman (alias docker=podman). There is no problem. The difference is that podman does not have a daemon. In the past, when using Docker CLI, Docker CLI would say "I want to start a container" to Docker Engine through gRPC API, and then Docker Engine would start a container through OCI Container runtime (runc by default). This means that the process of the container cannot be a child process of Docker CLI, but a child process of Docker Engine. Similar to other common container engines (Docker, CRI-O, containerd), podman relies on OCI compliant container runtime (runc, crun, runv, etc.) to interact with the operating system and create running containers. This makes the running container created by podman almost indistinguishable from that created by any other common container engine.

Podman is relatively simple and crude. Instead of using Daemon, it starts the container directly through OCI runtime (runc by default), so the process of the container is a child process of podman. This is more like the fork/exec model of Linux, while Docker adopts the C/S (client / server) model. Compared with C/S model, fork/exec model has many advantages, such as:

  • The system administrator can know who started a container process.
  • If you use cgroup to restrict podman, all created containers will be restricted.
  • SD_NOTIFY: if you put the podman command into the systemd unit file, the container process can return a notification through podman, indicating that the service is ready to receive tasks.
  • socket activation: connected sockets can be passed from systemd to podman and to the container process for use.

Containers under podman control can be run by root or non privileged users. Podman use libpod The library manages the entire container ecosystem, including pod s, containers, container mirrors, and container volumes.

There is a RESTFul API to manage containers. We also have a remote Podman client that can interact with RESTFul services. We currently support clients on Linux, Mac, and Windows. RESTFul services are only supported on Linux.

If you are completely unfamiliar with containers, we recommend that you check them out brief introduction . For advanced users or users from Docker, please check our course . For advanced users and contributors, you can get more information by viewing our commands page Podman CLI Very detailed information. Finally, for developers looking at how to interact with the Podman API, see our API documentation reference resources.

install

My machine environment CentOS Linux 7

yum -y install podman

to configure

Files included with podman package

$ rpm -ql podman  |grep -v '/usr/share/man/'  # Remove the contents of the man ual
/etc/cni/net.d/87-podman-bridge.conflist
/usr/bin/podman
/usr/lib/.build-id
/usr/lib/.build-id/37
/usr/lib/.build-id/37/e7f04d352e5dbde603e9701baedb0b1be6bc37
/usr/lib/.build-id/9a
/usr/lib/.build-id/9a/2b43332ca5756f9e2a086bae9b953009ef5a37
/usr/lib/systemd/system/io.podman.service
/usr/lib/systemd/system/io.podman.socket
/usr/lib/tmpfiles.d/podman.conf
/usr/libexec/podman/conmon
/usr/share/bash-completion/completions/podman
/usr/share/containers/libpod.conf
/usr/share/licenses/podman
/usr/share/licenses/podman/LICENSE

/etc/cni

You can see that only one configuration file is in the / etc/cni path, which is related to the Bridge configuration:

$ cat /etc/cni/net.d/87-podman-bridge.conflist
{
    "cniVersion": "0.4.0",
    "name": "podman",
    "plugins": [
	{
            "type": "bridge",
            "bridge": "cni-podman0",
            "isGateway": true,
            "ipMasq": true,
            "ipam": {
		"type": "host-local",
		"routes": [
		    {
			"dst": "0.0.0.0/0"
		    }
		],
		"ranges": [
		    [
			{
			    "subnet": "10.88.0.0/16",
			    "gateway": "10.88.0.1"
			}
		    ]
		]
            }
	},
	{
            "type": "portmap",
            "capabilities": {
		"portMappings": true
            }
	},
	{
            "type": "firewall"
	}
    ]
}

registries.conf

/The / etc / containers / registers.conf is used to save the registers related configuration:

$ cat /etc/containers/registries.conf   |grep -v '#' |grep -v ^$
[registries.search]
registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io']
[registries.insecure]
registries = []
[registries.block]
registries = []

mounts.conf

/usr/share/containers/mounts.conf is the path that is automatically mounted when the podman run or podman build command is executed. This path will only be mounted when the container is running and will not be submitted to the container image.

$ cat /usr/share/containers/mounts.conf 
/usr/share/rhel/secrets:/run/secrets

seccomp.json

/usr/share/containers/seccomp.json is the white list of seccomp rules allowed in the container. Seccomp (secure computing) is a security protection mechanism. Generally, programs can use all syscall s, but in order to avoid security problems, corresponding rules are usually specified to ensure.

$ cat /usr/share/containers/seccomp.json
{
	"defaultAction": "SCMP_ACT_ERRNO",
	"archMap": [
		{
			"architecture": "SCMP_ARCH_X86_64",
			"subArchitectures": [
				"SCMP_ARCH_X86",
				"SCMP_ARCH_X32"
			]
		},
		{
			"architecture": "SCMP_ARCH_AARCH64",
			"subArchitectures": [
				"SCMP_ARCH_ARM"
			]
		},
		{
			"architecture": "SCMP_ARCH_MIPS64",
			"subArchitectures": [
				"SCMP_ARCH_MIPS",
				"SCMP_ARCH_MIPS64N32"
			]
		},

·······················

policy.json

/etc/containers/policy.json certificate security related configuration:

$ cat /etc/containers/policy.json     
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports":
        {
            "docker-daemon":
                {
                    "": [{"type":"insecureAcceptAnything"}]
                }
        }
}

Tags: Docker Kubernetes Cloud Native Podman

Posted on Mon, 29 Nov 2021 06:09:53 -0500 by wmolina