Podman – Rootless networking

adminDocker / Podman, Linux, RedHat / CentOS

Loading

測試環境為 CentOS 8 x86_64 虛擬機.

參考文章 – https://www.redhat.com/sysadmin/container-networking-podman

Podman 為無背景程序(Daemonless)的容器引擎, Container 可以使用 root 或 非 root 的使用者來執行,相較於 docker 是個 Daemon ,且需要操作的使用者要有 root 相同權限才能執行.

預設使用 Podman 為 Rootless networking , Container 容器本身是沒有 IP地址, 可以使用 -P 或是 -p (下面說明) 來指定,其中 Rootless 與 Rootfull networking 的最大差別是 Rootfull networking 可以使用 < 1024 的埠 (已經定義好功能的埠,如 http 為 TCP port 80 )

使用一般使用者 ben (非 sudo user)登入並操作.

下面使用 Nginx (http server) rootless container 的網路與 Host 之間或是 Container 彼此間進行溝通.

[ben@localhost ~]$ podman search nginx
docker.io  docker.io/library/nginx                               Official build of Nginx.                         14935   [OK]      
...

[root@localhost ~]# podman pull docker.io/library/nginx 
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 8283eee92e2f done  
Copying blob febe5bd23e98 done  
Copying blob 69692152171a done  
Copying blob 30afc0b18f67 done  
Copying blob 351ad75a6cfa done  
Copying blob 596b1d696923 done  
Copying config d1a364dc54 done  
Writing manifest to image destination
Storing signatures
d1a364dc548d5357f0da3268c888e1971bbdb957ee3f028fe7194f1d61c6fdee

[root@localhost ~]# podman images
REPOSITORY               TAG     IMAGE ID      CREATED     SIZE
docker.io/library/nginx  latest  d1a364dc548d  6 days ago  137 MB

如果要讓 Rootless Host 與 Container 或是兩個及多個 Container 之間進行溝通,可以使用 Port mapping (-P 以及 -p) 的方式將系統的埠對應到到 Container

  • –publish-all, -P=true|false
    直接 run ,沒有 container image 時也會直接下載.

    [ben@localhost ~]$ podman run -dt --rm -P docker.io/library/nginx 
94549950c36e95329ff572f42fe960e8185723c5011a921cb262ee21b17ae2d5

    使用參數:

    • –detach, -d=true|false
      Detached mode: run the container in the background and print the new container ID.
    • –tty, -t=true|false
      Allocate a pseudo-TTY. The default is false.
    • –rm=true|false
      Automatically remove the container when it exits. The default is false.
    • –publish-all, -P=true|false
      Publish all exposed ports to random ports on the host interfaces. The default is false.

    下面可以看到參數 -P 的用途.

    我們看一下 目前的 Nginx Container 是否在運作. 可以看到 Port mapping 的方式將 Container : 0.0.0.0:40801 對應到系統的埠 80 .

    [ben@localhost ~]$ podman ps -a
CONTAINER ID  IMAGE                           COMMAND               CREATED             STATUS                 PORTS                  NAMES
30bfef81d214  docker.io/library/nginx:latest  nginx -g daemon o...  About a minute ago  Up About a minute ago  0.0.0.0:40801->80/tcp  cool_williams

    也可以從以下的指令來觀看.

    [ben@localhost ~]$ podman port -a
30bfef81d214	80/tcp -> 0.0.0.0:40801
    • Host -> Container
      我們可以使用以下的埠來與 Nginx Container 溝通. 

      [ben@localhost ~]$ curl http://localhost:40801
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

      除了 http://localhost:port 外,還可以用 Host 本身的 IP:port .

      [ben@localhost ~]$ ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.111.28  netmask 255.255.255.0  broadcast 192.168.111.255
        inet6 fd15:4ba5:5a2b:1008:2534:caad:aa13:d5dc  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::32a6:f7d6:b492:4c36  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:19:5f:5a  txqueuelen 1000  (Ethernet)
        RX packets 115  bytes 17519 (17.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 114  bytes 16343 (15.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

      [ben@localhost ~]$ curl 192.168.111.28:40801
    • Container -> Container
      方式一樣.

      [ben@localhost ~]$ podman run -it --rm docker.io/library/nginx /bin/sh

      # curl 192.168.111.28:40801
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

      # exit
[ben@localhost ~]$

    前面有下 -rm 所以當我們把 container stop 之後,該 container 有就消失了.

    [ben@localhost ~]$ podman stop cool_williams
cool_williams
[ben@localhost ~]$ podman ps -a
CONTAINER ID  IMAGE   COMMAND  CREATED  STATUS  PORTS   NAMES
  • –publish, -p=ip:hostPort:containerPort
    前面使用 -P 讓 podman 來分配埠 port.
    我們也可以用指定的方式

    • –publish, -p=ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort
      Publish a container’s port, or range of ports, to the host.

    跟前面範例類似,就不一一說明,最大的差別是用參數 -p 192.168.111.28(IP):8080(hostPort):80(containerPort)/tcp

    先來看一下目前我 Host 所使用的 IP .

    [ben@localhost ~]$ ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.111.28  netmask 255.255.255.0  broadcast 192.168.111.255
        inet6 fe80::32a6:f7d6:b492:4c36  prefixlen 64  scopeid 0x20<link>
        inet6 fd15:4ba5:5a2b:1008:2534:caad:aa13:d5dc  prefixlen 64  scopeid 0x0<global>
        ether 00:0c:29:19:5f:5a  txqueuelen 1000  (Ethernet)
        RX packets 41557  bytes 56578613 (53.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9621  bytes 1156735 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    [ben@localhost ~]$ podman run -dt --rm -p 192.168.111.28:8080:80/tcp docker.io/library/nginx 
73ed388f9043734bbc2cad1e808b22b5b20d935d5a6c3e8c1c6317898eb879fa

    [ben@localhost ~]$ podman ps -a
CONTAINER ID  IMAGE                    COMMAND               CREATED        STATUS            PORTS                      NAMES
138d54e829cf  docker.io/library/nginx  nginx -g daemon o...  2 seconds ago  Up 2 seconds ago  192.168.111.28:8080->80/tcp  eager_ride

    [ben@localhost ~]$ podman port -a
138d54e829cf	80/tcp -> 192.168.111.28:8080
    • Host -> Container
      我們可以使用剛剛指定的 8080 埠來與 Nginx Container 溝通. 

      [ben@localhost ~]$ curl http://192.168.111.28:8080
    • Container -> Container
      方式一樣.

      [ben@localhost ~]$ podman run -it --rm docker.io/library/nginx /bin/sh

      # curl 192.168.111.28:8080
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

      # exit
[ben@localhost ~]$

    前面有下 -rm 所以當我們把 container stop 之後,該 container 有就消失了.

    [ben@localhost ~]$ podman stop eager_ride
eager_ride

    [ben@localhost ~]$ podman ps -a
CONTAINER ID  IMAGE   COMMAND  CREATED  STATUS  PORTS   NAMES
    • 沒有解決問題,試試搜尋本站其他內容

    發佈留言

    發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

    這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料