podman容器的开机自启
创建网络
[root@Aimmi ~]# podman network create mynetwork
/etc/cni/net.d/mynetwork.conflist
[root@Aimmi ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
6d1b23123e26 mynetwork 0.4.0 bridge,portmap,firewall,tuning
修改新生成的网络配置文件的子网和网关或者创建时使用–subnet 指定网段和子网掩码,–gateway指定网关
[root@Aimmi ~]# vi /etc/cni/net.d/mynetwork.conflist
{
"cniVersion": "0.4.0",
"name": "mynetwork",
"plugins": [
{
"type": "bridge",
"bridge": "cni-podman1",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"ranges": [
[
{
"subnet": "10.89.0.0/24",
"gateway": "10.89.0.1"
}
]
修改/usr/share/containers/containers.conf文件设置默认网络为新创建的网络
[network]
# Path to directory where CNI plugin binaries are located.
#
#cni_plugin_dirs = ["/usr/libexec/cni"]
# The network name of the default CNI network to attach pods to.
#
default_network = "mynetwork" 添加此行
#default_network = "podman"
创建容器查看网络
[root@Aimmi ~]# podman run -d --name web1 docker.io/library/httpd
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob aa379c0cedc2 done
Copying blob bc36ee1127ec done
Copying blob d3576f2b6317 done
Copying blob e5ae68f74026 done
Copying blob f1aa5f54b226 done
Copying config ea28e1b82f done
Writing manifest to image destination
Storing signatures
886d3a6a4f441f73258faca6cecc9b9f2695382080efdd030dd293a08a9f52a0
[root@Aimmi ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:ff:ac:9f brd ff:ff:ff:ff:ff:ff
inet 192.168.145.188/24 brd 192.168.145.255 scope global dynamic noprefixroute ens33
valid_lft 1371sec preferred_lft 1371sec
inet6 fe80::20c:29ff:feff:ac9f/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 26:48:af:69:36:91 brd ff:ff:ff:ff:ff:ff
inet 10.89.0.1/24 brd 10.89.0.255 scope global cni-podman1
valid_lft forever preferred_lft forever
inet6 fe80::2448:afff:fe69:3691/64 scope link
valid_lft forever preferred_lft forever
4: vethd95dc440@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default
link/ether 6a:e4:16:b2:2f:f5 brd ff:ff:ff:ff:ff:ff link-netns cni-29c1164b-3dac-1d05-6d23-9902ec915a02
inet6 fe80::68e4:16ff:feb2:2ff5/64 scope link
valid_lft forever preferred_lft forever
删除容器在查看
[root@Aimmi ~]# docker ps
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
886d3a6a4f44 docker.io/library/httpd:latest httpd-foreground 46 seconds ago Up 46 seconds ago web1
[root@Aimmi ~]# podman rm -f web1
886d3a6a4f441f73258faca6cecc9b9f2695382080efdd030dd293a08a9f52a0
[root@Aimmi ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:ff:ac:9f brd ff:ff:ff:ff:ff:ff
inet 192.168.145.188/24 brd 192.168.145.255 scope global dynamic noprefixroute ens33
valid_lft 1310sec preferred_lft 1310sec
inet6 fe80::20c:29ff:feff:ac9f/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: cni-podman1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 26:48:af:69:36:91 brd ff:ff:ff:ff:ff:ff
inet 10.89.0.1/24 brd 10.89.0.255 scope global cni-podman1
valid_lft forever preferred_lft forever
inet6 fe80::2448:afff:fe69:3691/64 scope link
valid_lft forever preferred_lft forever
查看子命令的用法
[root@Aimmi ~]# man podman-attach
EXAMPLES
Attach to a container called "foobar".
$ podman attach foobar
Attach to the latest created container.
$ podman attach --latest
Attach to a container that start with the ID "1234".
$ podman attach 1234
Attach to a container without attaching STDIN.
$ podman attach --no-stdin foobar
SEE ALSO
podman(1), podman-exec(1), podman-run(1), containers.conf(5)
Podman防火墙规则
[root@Aimmi ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 2 packets, 380 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 100 packets, 7068 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 100 packets, 7068 bytes)
pkts bytes target prot opt in out source destination
运行一个容器,映射80端口
[root@Aimmi ~]# podman run -d -p 80:80 --name web01 docker.io/library/httpd
a4d0ba161366743281dcaa96832cbc3f2b5b48018dab3a686aa8e834354ef914
[root@Aimmi ~]# podman port web01
80/tcp -> 0.0.0.0:80
[root@Aimmi ~]# iptables -t nat -nvL
Chain CNI-DN-522077f7b0a2decc7ebb0 (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.89.0.0/24 0.0.0.
0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.
0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80 to:10.89.0.3:80
访问测试
[root@Aimmi ~]# curl 10.89.0.3
<html><body><h1>It works!</h1></body></html>
清空防火墙规则
[root@Aimmi ~]# iptables --flush 刷新
[root@Aimmi ~]# iptables -t nat -F 指定表清空
[root@Aimmi ~]# iptables -t nat -nvL 规则已被清空
Chain PREROUTING (policy ACCEPT 2 packets, 380 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 113 packets, 8040 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 113 packets, 8040 bytes)
pkts bytes target prot opt in out source destination
Chain CNI-522077f7b0a2decc7ebb0455 (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-SETMARK (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-MASQ (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-HOSTPORT-DNAT (0 references)
pkts bytes target prot opt in out source destination
Chain CNI-DN-522077f7b0a2decc7ebb0 (0 references)
pkts bytes target prot opt in out source destination
使用podman network reload 命令重新加载,规则存在
[root@Aimmi ~]# podman network reload web01
a4d0ba161366743281dcaa96832cbc3f2b5b48018dab3a686aa8e834354ef914
[root@Aimmi ~]# iptables -t nat -nvL
Chain CNI-DN-522077f7b0a2decc7ebb0 (1 references)
pkts bytes target prot opt in out source destination
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.89.0.0/24 0.0.0.0/0 tcp dpt:80
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.89.0.3:80
配置文件
[root@Aimmi ~]# cat /etc/cni/net.d/87-podman.conflist
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"type": "bridge", 模式
"bridge": "cni-podman0", 桥的名称
"isGateway": true, 网关
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [{ "dst": "0.0.0.0/0" }],
"ranges": [
[
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
}
]
]
}
},
{
"type": "portmap", 端口映射
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall"
},
{
"type": "tuning"
}
]
}
podman 容器的开机自启
使用podman generate --help查看用法
[root@Aimmi ~]# podman generate --help
Generate structured data based on containers, pods or volumes.
Description:
Generate structured data (e.g., Kubernetes YAML or systemd units) based on containers, pods or volumes.
Usage:
podman generate [command]
Available Commands:
kube Generate Kubernetes YAML from containers, pods or volumes.
systemd Generate systemd units.
使用podman generate systemd --help查看用法:
[root@Aimmi ~]# podman generate systemd --help
Generate systemd units.
Description:
Generate systemd units for a pod or container.
The generated units can later be controlled via systemctl(1).
Usage:
podman generate systemd [options] {CONTAINER|POD}
Examples:
podman generate systemd CTR
podman generate systemd --new --time 10 CTR
podman generate systemd --files --name POD
Options:
--container-prefix string Systemd unit name prefix for containers (default "container")
-f, --files Generate .service files instead of printing to stdout
--format string Print the created units in specified format (json)
-n, --name Use container/pod names instead of IDs
--new Create a new container instead of starting an existing one
--no-header Skip header generation
--pod-prefix string Systemd unit name prefix for pods (default "pod")
--restart-policy string Systemd restart-policy (default "on-failure")
--separator string Systemd unit name separator between name/id and prefix (default "-")
-t, --time uint Stop timeout override (default 10)
root Podman容器服务自启动
[root@Aimmi ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1b83066d287f docker.io/library/nginx:latest nginx -g daemon o... About a minute ago Up About a minute ago web
[root@Aimmi ~]# podman generate systemd --files --name web
/root/container-web.service
[root@Aimmi ~]# ls
anaconda-ks.cfg container-web.service
[root@Aimmi ~]# mv container-web.service /usr/lib/systemd/system/
[root@Aimmi ~]# systemctl status container-web
Unit container-web.service could not be found.
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:podman-generate-systemd(1)
[root@localhost ~]# systemctl status container-web
● container-web.service - Podman container-web.service
Loaded: loaded (/usr/lib/systemd/system/container-web.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-12-15 7:10:44 CST; 10s ago
Docs: man:podman-generate-systemd(1)
Process: 826584 ExecStart=/usr/bin/podman start web (code=exited, status=0/SUCCESS)
Main PID: 826718 (conmon)
Tasks: 3 (limit: 23485)
Memory: 12.2M
CGroup: /system.slice/container-web.service
├─826641 /usr/bin/fuse-overlayfs -o metacopy=on,lowerdir=/var/lib/containers/storage/overlay/l>
└─826718 /usr/bin/conmon --api-version 1 -c 1b83066d287fdb3990a5aa7c6ffcf5133071678e009d62a75b0a3016888aa473
12月 14 23:10:44 localhost.localdomain conmon[826718]: /docker-entrypoint.sh: Launching /docker-entrypoin>
12月 14 23:10:44 localhost.localdomain conmon[826718]: /docker-entrypoint.sh: Configuration complete; rea>
12月 14 23:10:44 localhost.localdomain conmon[826718]: 2021/12/15 7:10:44 [notice] 1#1: using the "epoll>
12月 14 23:10:44 localhost.localdomain conmon[826718]: 2021/12/15 7:10:44 [notice] 1#1: nginx/1.21.4
12月 14 23:10:44 localhost.localdomain conmon[826718]: 2021/12/15 7:10:44 [notice] 1#1: built by gcc 10.>
12月 14 23:10:44 localhost.localdomain conmon[826718]: 2021/12/15 7:10:44 [notice] 1#1: OS: Linux 4.18.0>
12月 14 23:10:44 localhost.localdomain conmon[826718]: 2021/12/15 :10:44 [notice] 1#1: getrlimit(RLIMIT>
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1b83066d287f docker.io/library/nginx:latest nginx -g daemon o... 4 hours ago Up About a minute ago 0.0.0.0:80->80/tcp web
非根用户容器开机自启
创建用户
[root@Aimmi ~]# useradd zs
设置密码
[root@Aimmi ~]# echo "1" |passwd --stdin zs
Changing password for user zs.
passwd: all authentication tokens updated successfully.
使用ssh登录主机
[root@Aimmi ~]# ssh zs@192.168.145.188
The authenticity of host '192.168.145.188 (192.168.145.188)' can't be established.
ECDSA key fingerprint is SHA256:fmHgLhKnUYEKWK/DdalZ6BUjZelc5amzjrAq+KH7Evs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.145.188' (ECDSA) to the list of known hosts.
zs@192.168.145.188's password:
Last failed login: Tue Dec 14 18:15:42 EST 2021 from 192.168.145.188 on ssh:notty
There were 2 failed login attempts since the last successful login.
启动容器
[zs@Aimmi ~]$ podman run --name web -d docker.io/library/nginx
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob ed835de16acd done
Copying blob e5ae68f74026 done
Copying blob 44be98c0fab6 done
Copying blob 881ff011f1c9 done
Copying blob 21e0df283cd6 done
Copying blob 77700c52c969 done
Copying config f652ca386e done
Writing manifest to image destination
Storing signatures
d0d36df52cd31b4cee77e634b98045f6a17fe0d10f44182af032b0e488a1734a
[zs@Aimmi ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d0d36df52cd3 docker.io/library/nginx:latest nginx -g daemon o... 18 seconds ago Up 17 seconds ago web
创建systemd目录生成相关文件
[zs@Aimmi ~]$ mkdir ~/.config/systemd/user -p
[zs@Aimmi ~]$ podman generate systemd --name web --files --new
/home/zs/container-web.service
[zs@Aimmi ~]$ mv container-web.service ~/.config/systemd/user/
[zs@Aimmi ~]$ cd ~/.config/systemd/user/
[zs@Aimmi user]$ cat container-web.service
# container-web.service
# autogenerated by Podman 3.3.1
# Tue Dec 14 18:19:01 EST 2021
[Unit]
Description=Podman container-web.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --sdnotify=conmon --cgroups=no-conmon --rm --replace --name web -d docker.io/library/nginx
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
[Install]
WantedBy=multi-user.target default.target
查看当前用户是否拥有执行systemd的权限
[zs@Aimmi user]$ loginctl
SESSION UID USER SEAT TTY
1 0 root
3 1001 zs
2 sessions listed.
查看用户的systemd的权限
[zs@Aimmi user]$ loginctl user-status zs
zs (1001)
Since: Tue 2021-12-14 18:15:46 EST; 4min 56s ago
State: active
Sessions: *3
以普通用户执行systemd开机自启容器
[zs@Aimmi user]$ systemctl --user daemon-reload
[zs@Aimmi user]$ systemctl --user enable --now container-web.service
Created symlink /home/zs/.config/systemd/user/multi-user.target.wants/container-web.service → /home/zs/.config/systemd/user/container-web.service.
Created symlink /home/zs/.config/systemd/user/default.target.wants/container-web.service → /home/zs/.config/systemd/user/container-web.service.
[zs@Aimmi user]$ systemctl status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/etc/systemd/system/container-web.service; enabled; vendo>
Active: active (running) since Wed 2021-12-15 7:22:09 CST; 25min ago
Docs: man:podman-generate-systemd(1)
Process: 126067 ExecStartPre=/bin/rm -f /run/container-web.service.ctr-id >
Main PID: 126210 (conmon)
Tasks: 2 (limit: 25324)
Memory: 1.9M
CGroup: /system.slice/container-web.service
└─126210 /usr/bin
重启测试
[root@Aimmi ~]# reboot
[root@Aimmi ~]# ssh zs@192.168.145.188
zs@192.168.145.188's password:
Last login: Tue Dec 14 18:15:46 2021 from 192.168.145.188
[zs@Aimmi ~]$ cd ~/.config/systemd/user/
[zs@Aimmi user]$ systemctl status container-web.service
● container-web.service - Podman container-web.service
Loaded: loaded (/etc/systemd/system/container-web.service; enabled; vendo>
Active: active (running) since Wed 2021-12-15 7:24:07 CST; 25min ago
Docs: man:podman-generate-systemd(1)
Process: 126067 ExecStartPre=/bin/rm -f /run/container-web.service.ctr-id >
Main PID: 126210 (conmon)
Tasks: 2 (limit: 25324)
Memory: 1.9M
CGroup: /system.slice/container-web.service
└─126210 /usr/bin
[zs@Aimmi user]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
488e2a877621 docker.io/library/nginx:latest nginx -g daemon o... About a minute ago Up About a minute ago web