9月 292019
安装
centos官方yum源目前更新至podman-1.4.4,距离最新的1.5并不太远,所以,centos7上直接yum install -y podman就行。
启动
podman search busybox
podman pull docker.io/library/busybox
podman run -it –rm busybox
查看相关进程:
进程分析:
- podman进程并没有立即退出
- podman进程也不是容器进程(2953)的祖先进程,
- conmon(2943)进程才是容器进程的父进程
通过execsnoop了解podman的基本逻辑:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
3182 2530 podman run -it --rm busybox 3188 3187 /usr/sbin/iptables --version 3189 3187 /usr/sbin/ip6tables --version 3195 3193 /usr/libexec/cni/loopback 3200 3193 /usr/libexec/cni/bridge 3206 3200 /usr/libexec/cni/host-local 3212 3200 /usr/sbin/iptables --version 3213 3200 /usr/sbin/iptables -t nat -S --wait 3214 3200 /usr/sbin/iptables -t nat -N CNI-d286860d1f2c10088f58c4fa --wait 3215 3200 /usr/sbin/iptables -t nat -C CNI-d286860d1f2c10088f58c4fa -d 10.88.0.4/16 -j ACCEPT [...] 3216 3200 /usr/sbin/iptables -t nat -A CNI-d286860d1f2c10088f58c4fa -d 10.88.0.4/16 -j ACCEPT [...] 3217 3194 /usr/lib/systemd/systemd-sysctl --prefix=/net/ipv4/conf/vethaec894ac --prefix=/net/ipv4/neigh/vethaec894ac --prefix=/net/ipv6/conf/vethaec894ac --prefix=/net/ipv6/neigh/vethaec894ac 3218 3200 /usr/sbin/iptables -t nat -C CNI-d286860d1f2c10088f58c4fa ! -d 224.0.0.0/4 -j [...] 3219 3200 /usr/sbin/iptables -t nat -A CNI-d286860d1f2c10088f58c4fa ! -d 224.0.0.0/4 -j [...] 3220 3200 /usr/sbin/iptables -t nat -C POSTROUTING -s 10.88.0.4 -j CNI-d286860d1f2c10088f58c4fa [...] 3221 3200 /usr/sbin/iptables -t nat -A POSTROUTING -s 10.88.0.4 -j CNI-d286860d1f2c10088f58c4fa [...] 3222 3190 /usr/libexec/cni/portmap 3226 3190 /usr/sbin/iptables -t filter -S --wait 3227 3190 /usr/sbin/iptables -t filter -S --wait 3228 3190 /usr/sbin/iptables -t filter -C FORWARD -m comment --comment CNI firewall plugin rules [...] 3229 3190 /usr/sbin/iptables -t filter -C CNI-FORWARD -m comment --comment CNI firewall plugin rules [...] 3230 3190 /usr/sbin/iptables -t filter -C CNI-FORWARD -d 10.88.0.4/32 -m conntrack [...] 3231 3190 /usr/sbin/iptables -t filter -A CNI-FORWARD -d 10.88.0.4/32 -m conntrack [...] 3232 3190 /usr/sbin/iptables -t filter -C CNI-FORWARD -s 10.88.0.4/32 -j ACCEPT [...] 3233 3190 /usr/sbin/iptables -t filter -A CNI-FORWARD -s 10.88.0.4/32 -j ACCEPT [...] 3234 3191 /usr/libexec/podman/conmon -s -c 25320a1e64226351a66056671a5f0c8c382204b3ea183d69d1fce06293164f8d -u 25320a1e64226351a66056671a5f0c8c382204b3ea183d69d1fce06293164f8d -n sad_dijkstra -r [...] 3236 3235 /usr/bin/runc --systemd-cgroup 3242 3241 /usr/bin/runc init 3252 3190 /usr/bin/runc start 25320a1e64226351a66056671a5f0c8c382204b3ea183d69d1fce06293164f8d 3245 3244 sh |
- 首先,准备网络环境,通过iptables以及 containernetworking-plugins 实现
- 然后,通过conmon来借助runc启动容器进程
通过podman info 了解podman:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
[root@docker ~]# podman info host: BuildahVersion: 1.9.0 Conmon: package: podman-1.4.4-4.el7.centos.x86_64 path: /usr/libexec/podman/conmon version: 'conmon version 0.3.0, commit: unknown' Distribution: distribution: '"centos"' version: "7" MemFree: 81936384 MemTotal: 1567813632 OCIRuntime: package: runc-1.0.0-65.rc8.el7.centos.x86_64 path: /usr/bin/runc version: 'runc version spec: 1.0.1-dev' SwapFree: 3111645184 SwapTotal: 3221221376 arch: amd64 cpus: 1 hostname: docker kernel: 3.10.0-957.1.3.el7.x86_64 os: linux rootless: false uptime: 216h 45m 40.51s (Approximately 9.00 days) registries: blocked: null insecure: null search: - registry.access.redhat.com - docker.io - registry.fedoraproject.org - quay.io - registry.centos.org store: ConfigFile: /etc/containers/storage.conf ContainerStore: number: 1 GraphDriverName: overlay GraphOptions: null GraphRoot: /var/lib/containers/storage GraphStatus: Backing Filesystem: xfs Native Overlay Diff: "true" Supports d_type: "true" Using metacopy: "false" ImageStore: number: 1 RunRoot: /var/run/containers/storage VolumePath: /var/lib/containers/storage/volumes |
- 这里显示了buildah的版本号,podman和buildah是什么关系?buildah是制作镜像用的,应该是可以单独使用的,但是使用podman构建镜像的时候并没有调用buildah进程,难道编译到podman进程里面了?(事实却是如此:Podman uses Buildah’s golang API and can be installed independently from Buildah),参考:https://github.com/containers/libpod
- 虽然buidah也有run操作,也要容器的概念,但是这些和podman是不同的,buildah的run相当于dockerfile中的RUN,而容器也是一个短暂的状态
- conmon:
- registries: 允许有多个registry
- storage
- 存储驱动: overlay,docker已经默认overlay2了,podman为啥还不支持overlay2?
- 存储位置:/var/lib/containers/storage
podman远程连接
目前所有发行版并不带有该功能,通过varlink来实现的,原本只listen本地的unix socket,远程连接需要先走ssh通道,话说这个也无可厚非
Rootless
需要使用crun作为运行时,而不是runc,因为需要cgroup v2,runc不支持cgroup v2
https://github.com/containers/libpod/blob/master/docs/tutorials/rootless_tutorial.md
Skopeo
一个管理镜像仓库的工具
容器迁移
虽然可以设置一个检查点,保存到文件后,从另外一个机器上restore后,继续运行,但是,该模式从网络的角度来看,等待时间太长,或者根本就是中断的,而OpenStack中虚拟机的热迁移基本是无感知的;
测试发现,podman的checkpoint功能完成export功能都很难,尚未测试成功; 另外,如果容器中有僵尸进程,基本是export不了的