Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to use podman container technology". In daily operation, I believe many people have doubts about how to use podman container technology. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "how to use podman container technology". Next, please follow the editor to study!

What is podman and OCI

Podman is a daemon-free, open source native container tool designed to be based on Open Containers Initiative (OCI) organization and specification, making it easy for mirror containers to find, run, build, share, and deploy applications.

When it comes to podman, you have to talk about OCI. This organization is a little interesting. The emergence and rapid popularity of Docker container technology has brought revolutionary changes to the traditional field of continuous integration and continuous release. At this time, the bosses (Google, Redhat, Microsoft, IBM, Intel, Cisco) became a little restless, and they decided to form a new organization after drinking tea and chatting together: OCI. The organization was clearly set up to prevent container technology from being monopolized by docker alone. Docker, although reluctant, but there is no good way, but also joined the organization, after all, the arms can not twist the thighs. There are also several other reasons

The container concept and design of docker are novel, but the underlying implementation is not a sophisticated technology and is easy to be imitated.

Docker wants to be promoted and used without the support of the bosses.

Docker itself still has several hard injuries, which are really easy to overtake and catch up with.

Some friends say that podman is an auxiliary tool for docker to run, build and share, which is not true. The current development of podman itself is an independent container technology, and its runtime environment does not depend on docker.

Second, what is the hard wound in docker?

Hard wound one: there is a process called dockerd in docker, which takes up more CPU resources. At the same time, a dockerd daemon may also cause a single point of failure. If the daemon dies, the container cannot provide services properly.

Hard wound 2: the docker daemon runs as a root user, which poses a great challenge to the security of the operating system and container.

However, Podman does not need daemons running as root, and Podman containers have the same running rights as the linux users who started them, which solves a major security problem. Podman is a container engine without daemons, and Podman does not need daemons to start and manage containers. This is one of the most important differences between two open source projects. This is also the core reason why the author is optimistic that podman will replace docker as the mainstream container technology in the future.

Transition from docker to podman is very easy

If you have used the CLI command line of docker, there is almost no difference between podman. You just need to replace docker with podman, and the order and meaning of the parameters are the same. Such as:

Just change docker pull nginx to podman pull nginx.

If you don't want to replace the docker command with podman, you need to modify the previous script. It can also be achieved by mapping the command alias docker=podman, so that docker can be seamlessly migrated to the podman environment.

In addition, the container image format is also fully compatible between Docker and Podman. Therefore, existing images, whether they are official docker images or docker images we have built in the past, can be used in podman environment.

4. Get started with podman4.1. Installation

Let's simply do it. In the CentOS operating system, you can directly use the yum command to install podman. To be clear, this is a new minimally installed CentOS7 virtual machine that does not include docker and has not been installed.

Yum-y install podman # root user installation

View version

# podman versionVersion: 1.6.4RemoteAPI Version: 1Go Version: go1.12.12OS/Arch: linux/amd64

Create a new podman user, and then use that user to run the container.

Adduser podman # root users New podman users adduser podman # root users New podman users Special processing to be done in 4.2.CentOS7 environment

For the security considerations mentioned above, we do not use root users to manipulate images and containers. So you need to do some of the following configurations.

If you use CentOS7, you need to do some special processing as follows. Other operating systems may require different solutions, which are more or less the same.

If you use the root user to run the image container, you don't need to do this special processing, you can just use the

CentOS7 turns off user namespace by default and turns it on

Echo 10000 > / proc/sys/user/max_user_namespaces;grubby-- args= "user_namespace.enable=1"-- update-kernel= "$(grubby-- default-kernel)"; echo "user.max_user_namespaces=10000" > / etc/sysctl.conf;4.3. Configure non-root user id and group id range

Try to pull the nginx image under the environment of the new user podman in the linux host operating system.

Su-podman # switch the user to pull the image for podmanpodman pull docker.io/library/nginx #

If you have the following error message

Su-podman # switch the user to pull the image for podmanpodman pull docker.io/library/nginx #

Or the following error message

Error processing tar file (exit status 1): there might not be enough IDs available in the namespace

Please exit the podman user and switch back to the root user (exit command). Execute the following command. Podman is a non-root user running the container.

Echo "podman:100000:65536" > > / etc/subuidecho "podman:100000:65536" > > / etc/subgid

The function of this configuration is to set the mapping relationship between the operating system in a container and the uid and gid of the host operating system user. As shown above, 100000-165535 (100000 + 65535) the id of the host is mapped to 0-65535 users in the container. After configuration, execute the following command

Podman system migrate

The official explanation that the above command can make the configuration take effect, but for some reason, the author executed the command and the configuration did not take effect, but rebooted the operating system to take effect.

5. The use of container images under non-root users

Similarly, switch the root to the host podman user first.

Su-podman

Pull mirror command

$podman pull docker.io/library/nginxTrying to pull docker.io/library/nginx...Getting image source signaturesCopying blob 1ae07ab881bd done Copying blob 091c283c6a66 done Copying blob 78091884b7be done Copying blob 5eb5b503b376 done Copying blob b559bad762be done Copying blob 55de5851019b done Copying config c316d5a335 done Writing manifest to image destinationStoring signaturesc316d5a335a5cf324b0dc83b3da82d7608724769f6454f6d9a621f3ec2534a5a

View the list of images (the images pulled by user x cannot be viewed under user y)

$podman imagesREPOSITORY TAG IMAGE ID CREATED SIZEdocker.io/library/nginx latest c316d5a335a5 2 weeks ago 146MB

Run the container image

Podman run-p 8080 80-d docker.io/library/nginx

Other commands are not enumerated one by one, and the docker command runs in exactly the same way, and the parameter order and name are the same.

At this point, the study on "how to use podman container technology" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.