Podman 的基本设置和使用

运行示例容器

这个示例容器将运行一个非常基本的 httpd 服务器，它只服务于它的索引页面。

podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob d77ff9f653ce done  
Copying blob aaf5ad2e1aa3 done  
Copying blob 7692efc5f81c done  
Copying config 25c76f9dcd done  
Writing manifest to image destination
Storing signatures
8e6416746e5b9443b5db05e55bc34794bcd11ef07c82246c42b85fb57e633499

列出正在运行的容器

[root@192 ~]# podman ps 
CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS             PORTS                   NAMES
8e6416746e5b  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  12 minutes ago  Up 12 minutes ago  0.0.0.0:8080->8080/tcp  xenodochial_brown
ps命令中添加-a的参数，Podman 将显示所有容器

检查正在运行的容器

[root@192 ~]# podman inspect -l |grep -i ipaddress
            "IPAddress": "10.88.0.3",
                    "IPAddress": "10.88.0.3",

测试 httpd 服务器

[root@192 ~]# curl 10.88.0.3:8080  或者 172.0.0.1:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
        <head>
                <title>Test Page for the Apache HTTP Server on Fedora</title>
                <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
                <style type="text/css">
                        /*<![CDATA[*/
                        body {
                                background-color: #fff;
                                color: #000;
.........
.........

查看容器的日志

[root@192 ~]# podman logs -l
=> sourcing 10-set-mpm.sh ...
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain n
ame, using 10.88.0.3. Set the 'ServerName' directive globally to suppress this mes
sage
[Tue Aug 16 03:47:11.592151 2022] [ssl:warn] [pid 1:tid 139629212822912] AH01882: 
Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1b
 FIPS  26 Feb 2019, version currently loaded is OpenSSL 1.1.1 FIPS  11 Sep 2018) -
 may result in undefined or erroneous behavior
[Tue Aug 16 03:47:11.592869 2022] [ssl:warn] [pid 1:tid 139629212822912] AH01909: 
10.88.0.3:8443:0 server certificate does NOT include an ID which matches the serve
r name
AH00558: httpd: Could not reliably determine the server's fully qualified domain n
ame, using 10.88.0.3. Set the 'ServerName' directive globally to suppress this mes
sage
............

查看容器的进程

[root@192 ~]# podman top -l
USER        PID         PPID        %CPU        ELAPSED           TTY         TIME        COMMAND
default     1           0           0.000       15m42.322727736s  pts/0       0s          httpd -D FOREGROUND 
default     24          1           0.000       15m42.322836209s  ?           0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     25          1           0.000       15m42.322880653s  ?           0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     26          1           0.000       15m42.323001028s  ?           0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     27          1           0.000       15m42.323091037s  ?           0s          /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat 
default     28          1           0.000       15m42.323132705s  ?           0s          httpd -D FOREGROUND 
default     29          1           0.000       15m42.3232793s    ?           0s          httpd -D FOREGROUND 
default     31          1           0.000       15m42.323358338s  ?           0s          httpd -D FOREGROUND 
default     33          1           0.000       15m42.323434941s  ?           0s          httpd -D FOREGROUND 

检查点容器

检查点容器会停止容器，同时将容器中所有进程的状态写入磁盘

[root@192 ~]# podman container checkpoint xenodochial_brown
8e6416746e5b9443b5db05e55bc34794bcd11ef07c82246c42b85fb57e633499

恢复容器

仅对以前设置检查点的容器才能恢复容器

[root@192 ~]# podman container restore xenodochial_brown
8e6416746e5b9443b5db05e55bc34794bcd11ef07c82246c42b85fb57e633499
[root@192 ~]# podman ps 
CONTAINER ID  IMAGE                                        COMMAND               C
REATED        STATUS            PORTS                   NAMES
8e6416746e5b  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  4
 minutes ago  Up 4 minutes ago  0.0.0.0:8080->8080/tcp  xenodochial_brown

迁移容器

要将容器从一台主机实时迁移到另一台主机，容器会在迁移的源系统上设置检查点，转移到目标系统，然后在目标系统上恢复。传输检查点时，可以指定输出文件。

在源系统上

[root@192 ~]# scp /tmp/checkpoint.tar.gz 192.168.132.100:/tmp/checkpoint.tar.gz
The authenticity of host '192.168.132.100 (192.168.132.100)' can't be established.
ECDSA key fingerprint is SHA256:lioB0RK00WUm3v9CRB9bI0VBKo2+z+YXdA8+7g55IXY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.132.100' (ECDSA) to the list of known hosts.
[email protected]'s password: 
checkpoint.tar.gz                               100% 1808KB 164.3MB/s   00:00

在转移系统上

[root@harbor ~]# ls /tmp/
checkpoint.tar.gz
systemd-private-2aa4ab20e15a49538d5356632536bb31-bluetooth.service-QwJ7Wf
systemd-private-2aa4ab20e15a49538d5356632536bb31-chronyd.service-975IUi
[root@harbor ~]# podman container restore -i /tmp/checkpoint.tar.gz
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob 7692efc5f81c skipped: already exists  
Copying blob aaf5ad2e1aa3 done  
Copying blob d77ff9f653ce done  
Copying config 25c76f9dcd done  
Writing manifest to image destination
Storing signatures
8e6416746e5b9443b5db05e55bc34794bcd11ef07c82246c42b85fb57e633499

如何使用 Podman 签署和分发容器镜像

签署容器镜像的动机是只信任专门的镜像提供者以减轻中间人 (MITM) 攻击或对容器注册表的攻击。签署图像的一种方法是使用 GNU Privacy Guard ( GPG ) 密钥。这种技术通常与任何符合 OCI 的容器注册表兼容，例如:Quay.io。值得一提的是，OpenShift 集成容器注册表开箱即用地支持这种签名机制，这使得单独的签名存储变得不必要。

从技术角度来看，我们可以利用 Podman 对镜像进行签名，然后再将其推送到远程注册表。之后，所有运行 Podman 的系统都必须配置为从远程服务器检索签名，远程服务器可以是任何简单的 Web 服务器。这意味着在图像拉取操作期间，每个未签名的图像都将被拒绝。但这是如何工作的？

首先，我们必须创建一个 GPG 密钥对或选择一个已经在本地可用的密钥对。要生成新的 GPG 密钥，只需运行gpg --full-gen-key并按照交互式对话框操作。现在我们应该能够验证密钥在本地是否存在：

[root@192 ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y  //选择是或者否

GnuPG needs to construct a user ID to identify your key.

Real name: xiaopihai123  // 用户名
Email address: [email protected] // 邮箱
Comment: hehe  描述
You selected this USER-ID:
    "xiaopihai123 (hehe) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o  //选择o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 8707569C0C379114 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/50BA907F47E47A0FC4C27D458707569C0C379114.rev'
public and secret key created and signed.

pub   rsa2048 2022-08-16 [SC]
      50BA907F47E47A0FC4C27D458707569C0C379114
uid                      xiaopihai123 (hehe) <[email protected]>
sub   rsa2048 2022-08-16 [E]
//查看生成的秘钥
[root@192 ~]#  gpg --list-keys [email protected]
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa2048 2022-08-16 [SC]
      50BA907F47E47A0FC4C27D458707569C0C379114
uid           [ultimate] xiaopihai123 (hehe) <[email protected]>
sub   rsa2048 2022-08-16 [E]

[root@192 ~]# 

alpine让我们为我们的签名实验选择一个标准镜像

[root@192 ~]#  podman pull docker://docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 213ec9aee27d done  
Copying config 9c6f072447 done  
Writing manifest to image destination
Storing signatures
9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5

接下来我们可以部署一个harbor

[ harbor仓库部署_]:

现在我们可以重新标记镜像以将其指向我们的harbor：

[root@192 ~]# podman tag alpine xiaopihai123/alpine:v0.1
[root@192 ~]# podman images
REPOSITORY                            TAG         IMAGE ID      CREATED      SIZE
docker.io/library/alpine              latest      9c6f07244728  6 days ago   5.83 MB
localhost/xiaopihai123/alpine         v0.1        9c6f07244728  6 days ago   5.83 MB

为了让镜像能上传至本地的私有仓库，修改/etc/containers/registries.d/default.yaml文件

我们可以看到我们配置了两个签名存储：

• sigstore: 引用 Web 服务器进行签名读取
• sigstore-staging: 引用文件路径进行签名写入

default-docker:
  
  sigstore:http: //192.168.132.135:80
  sigstore-staging: file:///var/lib/containers/sigstore