ICode9

精准搜索请尝试: 精确搜索
首页 > 其他分享> 文章详细

podman的基本设置和使用,签名分发镜像推送到harbor仓库

2022-08-16 02:00:08  阅读:191  来源: 互联网

标签:httpd 8080 容器 harbor podman usr 推送 root


podman的基本设置和使用

目录

Podman 是作为 libpod 库的一部分提供的实用程序。它可用于创建和维护容器。以下教程将教您如何设置Podman并使用Podman执行一些基本命令。

podman的基本设置和使用

运行示例容器

此示例容器将运行一个非常基本的 httpd 服务器,该服务器仅为其索引页提供服务。

[root@podman ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
>                   -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
>                   -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
>                   registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done  
Copying blob aaf5ad2e1aa3 done  
Copying blob 7692efc5f81c done  
Copying config 25c76f9dcd done  
Writing manifest to image destination
Storing signatures
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5

由于容器在分离模式下运行(在命令中由 -d 表示),因此 Podman 将在运行后打印容器 ID。请注意,我们使用端口转发来访问 HTTP 服务器。要成功运行,至少需要 slirp4netns v0.3.0。

查询一下slirp4netns是否高于 v0.3.0版本。

[root@podman ~]# rpm -qa|grep slirp4netns
slirp4netns-1.1.8-2.module_el8.7.0+1106+45480ee0.x86_64

列出正在运行的容器

[root@podman ~]# podman ps
CONTAINER ID  IMAGE                                        COMMAND               CREATED        STATUS            PORTS                   NAMES
81254d9cc425  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  5 minutes ago  Up 5 minutes ago  0.0.0.0:8080->8080/tcp  dreamy_merkle

注意:-l 是最新容器的便利参数。还可以使用容器的 ID 而不是 -l。

检查正在运行的容器

可以检查正在运行的容器,以获取有关其自身的元数据和详细信息。我们甚至可以使用 inspect 子命令来查看分配给容器的 IP 地址。由于容器在无根模式下运行,因此不会分配 IP 地址,并且该值将在检查的输出中列为“无”。

podman inspect -l |grep -i ipaddress

[root@podman ~]# podman inspect -l |grep -i ipaddress
               "IPAddress": "10.88.0.3",
                         "IPAddress": "10.88.0.3",

测试httpd服务器

curl http://localhost:8080

[root@podman ~]# podman port -l
8080/tcp -> 0.0.0.0:8080
[root@podman ~]# curl 10.88.0.3:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
...省略

web界面访问:

image

查看容器日志

podman logs --latest

[root@podman ~]# podman logs -l
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.3. Set the 'ServerName' directive globally to suppress this message
[Mon Aug 15 15:56:04.177877 2022] [ssl:warn] [pid 1:tid 139975668551040] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b FIPS  26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS  11 Sep 2018) - may result in undefined or erroneous behavior
...省略

查看容器的pid

podman top <container_id>

[root@podman ~]# podman top -l
USER        PID         PPID        %CPU        ELAPSED           TTY         TIME        COMMAND
default     1           0           0.000       17m15.264131783s  pts/0       0s          httpd -D FOREGROUND 
default     23          1           0.000       17m15.264256639s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     24          1           0.000       17m15.264293599s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     25          1           0.000       17m15.264317041s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     26          1           0.000       17m15.264343615s  pts/0       0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     27          1           0.000       17m15.264365551s  pts/0       0s          httpd -D FOREGROUND 
default     28          1           0.000       17m15.264387439s  pts/0       0s          httpd -D FOREGROUND 
default     30          1           0.000       17m15.264408209s  pts/0       0s          httpd -D FOREGROUND 
default     37          1           0.000       17m15.264431233s  pts/0       0s          httpd -D FOREGROUND 
default     242         1           0.000       7m50.264451911s   pts/0       0s          httpd -D FOREGROUND 

对容器执行检查点操作

对容器执行检查点操作会停止容器,同时将容器中所有进程的状态写入磁盘。这样,容器以后可以还原,并在与检查点完全相同的时间点继续运行。此功能要求在系统上安装 CRIU 3.11 或更高版本。不支持此功能作为无根;因此,如果您想尝试一下,则需要使用相同的命令(但使用sudo)以root身份重新创建容器。若本身是管理员就不用sudu。

sudo podman container checkpoint <container_id>

[root@podman ~]# podman container checkpoint -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# ls
anaconda-ks.cfg  container-web.service
[root@podman ~]# podman ps -a
CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS                     PORTS                   NAMES
81254d9cc425  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  53 minutes ago  Exited (0) 17 seconds ago  0.0.0.0:8080->8080/tcp  dreamy_merkle

恢复容器

还原容器仅适用于以前检查点的容器。还原的容器将继续在检查点操作的同一时间点运行。

sudo podman container restore <container_id>

[root@podman ~]# podman container restore -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# podman ps -a
CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS             PORTS                   NAMES
81254d9cc425  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  54 minutes ago  Up 54 minutes ago  0.0.0.0:8080->8080/tcp  dreamy_merkle

还原后,容器将像检查点之前一样再次应答请求。

[root@podman ~]# curl 10.88.0.3:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

迁移容器

要将容器从一个主机实时迁移到另一个主机,容器将在迁移的源系统上执行检查点操作,传输到目标系统,然后在目标系统上还原。传输检查点时,可以指定输出文件。

在源系统上:

sudo podman container checkpoint <container_id> -e /tmp/checkpoint.tar.gz

scp /tmp/checkpoint.tar.gz <destination_system>:/tmp

[root@podman ~]# podman container checkpoint -l -e /tmp/checkpoint.tar.gz
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# scp /tmp/checkpoint.tar.gz 192.168.118.137:/tmp

在目标系统上:

sudo podman container restore -i /tmp/checkpoint.tar.gz

[root@localhost ~]# podman container restore -i /tmp/checkpoint.tar.gz
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done  
Copying blob aaf5ad2e1aa3 done  
Copying blob 7692efc5f81c done  
Copying config 25c76f9dcd done  
Writing manifest to image destination
Storing signatures
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5

还原后,web访问一下。

image

停止容器

要停止 httpd 容器,请执行以下操作:

[root@podman ~]# podman stop -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# podman ps -a
CONTAINER ID  IMAGE                                        COMMAND               CREATED            STATUS                    PORTS                   NAMES
81254d9cc425  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  About an hour ago  Exited (0) 5 seconds ago  0.0.0.0:8080->8080/tcp  dreamy_merkle

移除容器

删除 httpd 容器:

[root@podman ~]# podman rm -l
81254d9cc4254c79c7497eeb6371003e0fd2e226f1337995bb56c233c99091b5
[root@podman ~]# podman ps -a
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

podman签名分发镜像推送到harbor仓库

签署容器镜像的动机是只信任专门的镜像提供者以减轻中间人 (MITM) 攻击或对容器注册表的攻击。签署图像的一种方法是使用 GNU Privacy Guard ( GPG ) 密钥。这种技术通常与任何符合 OCI 的容器注册表兼容,例如:Quay.io。值得一提的是,OpenShift 集成容器注册表开箱即用地支持这种签名机制,这使得单独的签名存储变得不必要。

从技术角度来看,我们可以利用 Podman 对镜像进行签名,然后再将其推送到远程注册表。之后,所有运行 Podman 的系统都必须配置为从远程服务器检索签名,远程服务器可以是任何简单的 Web 服务器。这意味着在图像拉取操作期间,每个未签名的图像都将被拒绝。但这是如何工作的?

首先,我们必须创建一个 GPG 密钥对或选择一个已经在本地可用的密钥对。要生成新的 GPG 密钥,只需运行gpg --full-gen-key并按照交互式对话框操作。现在我们应该能够验证密钥在本地是否存在:

[root@podman ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: daxinyu@317.com
Email address: daxinyu@317.com
Comment: dada
You selected this USER-ID:
    "daxinyu@317.com (dada) <daxinyu@317.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

#设置秘钥,tab到ok回车,这里要输入2次密码,设置密码时大于8位数
         ┌─┐
         │ Please enter the passphrase to                       │
         │ protect your new key                                 │
         │                                                      │
         │ Passphrase: ***********
         │                                                      │
         │       <OK>                              <Cancel>     │
         └─┘
 
      
         ┌─┐
         │ Please re-enter this passphrase                      │
         │                                                      │
         │ Passphrase: ***********
         │                                                      │
         │       <OK>                              <Cancel>     │
         └─┘
         
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 790E0F879B594C6D marked as ultimately trusted
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/6C72C4A589A2A40906BCA7BE790E0F879B594C6D.rev'
public and secret key created and signed.

pub   rsa2048 2022-08-15 [SC]
      6C72C4A589A2A40906BCA7BE790E0F879B594C6D
uid                      daxinyu@317.com (dada) <daxinyu@317.com>
sub   rsa2048 2022-08-15 [E]

[root@podman ~]# gpg --list-keys daxinyu@317.com
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   rsa2048 2022-08-15 [SC]
      6C72C4A589A2A40906BCA7BE790E0F879B594C6D
uid           [ultimate] daxinyu@317.com (dada) <daxinyu@317.com>
sub   rsa2048 2022-08-15 [E]

标签:httpd,8080,容器,harbor,podman,usr,推送,root
来源: https://www.cnblogs.com/Clannaddada/p/16590249.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有