Basic setup and use of Podman in a rootless environment
User operation
Before allowing users without root privileges to run Podman, the administrator must install or build Podman and complete the following configuration
cgroup V2Linux kernel function allows users to limit the resources that can be used by ordinary user containers. If you use cgroupV2 to enable the Linux distribution running Podman, you may need to change the default OCI runtime. Some older versions of runc are not applicable to cgroupV2. You must switch to the standby OCI runtime crun.
[root@localhost ~]# rpm -qa |grep crun [root@localhost ~]# yum -y install crun / / I don't have it here, so I need to install it. Most centos8 systems come with it [root@localhost ~]# cd /usr/share/containers/ [root@localhost containers]# pwd /usr/share/containers [root@localhost containers]# ls containers.conf mounts.conf seccomp.json selinux [root@localhost containers]# vim containers.conf # Default OCI runtime # runtime = "crun" //Uncomment and change runc to crun #runtime = "runc" [root@localhost ~]# podman run -d --name web1 -p 80:80 httpd 3ddfdbef3bdb893f09a1c6fcff27cffa8d465db68dccc83be1f5ad57eb31e1a2 [root@localhost ~]# podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3ddfdbef3bdb docker.io/library/httpd:latest httpd-foreground 4 seconds ago Up 4 seconds ago 0.0.0.0:80->80/tcp web1 [root@localhost ~]#
Install slirp4netns and fuse overlay FS
When using Podman in an ordinary user environment, it is recommended to use fuse overlayfs instead of VFS file system, which requires at least version 0.7.6. Now the new version defaults to it.
No, just follow this command
yum -y install slirp4netns
yum -y install fuse-overlayfs
[root@localhost ~]# rpm -qa |grep slirp4netns slirp4netns-1.1.8-1.module_el8.5.0+890+6b136101.x86_64 [root@localhost ~]# rpm -qa |grep fuse-overlayfs fuse-overlayfs-1.7.1-1.module_el8.5.0+890+6b136101.x86_64 [root@localhost ~]# [root@localhost ~]# cd /etc/containers/ [root@localhost containers]# vim storage.conf # directly. mount_program = "/usr/bin/fuse-overlayfs" //note off [root@localhost containers]# Which fuse overlayfs / / search to see if it can be found. If it is found, it means that the startup is successful /usr/bin/fuse-overlayfs [root@localhost containers]#
/etc / subuid and / etc / subgid configuration
Podman requires the user running it to list a series of UIDs in the / etc / subuid and / etc / subgid files. Shadow utils or newuid packages provide these files
[root@localhost ~]# DNF - y install shadow utils. / / podman is usually installed You can/ etc / subuid and/ etc / subgid The value of each user must be unique and there is no overlap. [root@localhost ~]# useradd laoliu [root@localhost ~]# id laoliu uid=1001(laoliu) gid=1001(laoliu) groups=1001(laoliu) [root@localhost ~]# [root@localhost ~]# cat /etc/subuid cys:100000:65536 laoliu:165536:65536 [root@localhost ~]# // Start non privileged ping [root@localhost ~]# vim /etc/sysctl.conf net.ipv4.ping_group_range=0 200000 //If it is greater than 100000, it means that laoliu can operate podman
The format of this file is / etc/passwd in USERNAME:UID:RANGE or the user name getpwent listed in the output.
The initial UID assigned to the user.
The size of the UID range assigned to the user.
The usermod program can be used to assign UID s and GID S to users instead of directly updating files.
[root@localhost ~]# usermod --del-subuids 165536-231072 --del-subgids 165536-231072 laoliu [root@localhost ~]# cat /etc/subuid cys:100000:65536 [root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 laoliu [root@localhost ~]# cat /etc/subuid cys:100000:65536 laoliu:200000:1001 [root@localhost ~]#
User profile
The three main configuration files are container.conf, storage.conf and registers.conf. Users can modify these files as needed.
container.conf
// User profile [root@localhost ~]# cat /usr/share/containers/containers.conf [root@localhost ~]# cat /etc/containers/containers.conf [root@localhost ~]# cat ~/.config/containers/containers.conf / / the highest priority
If they exist in this order. Each file can overwrite the previous file for a specific field.
Configure the storage.conf file
1./etc/containers/storage.conf 2.$HOME/.config/containers/storage.conf
In normal users, some fields in / etc/containers/storage.conf will be ignored
[root@localhost ~]# vi /etc/containers/storage.conf [storage] # Default Storage Driver, Must be set for proper operation. driver = "overlay" #Change to overlay here ....... mount_program = "/usr/bin/fuse-overlayfs" #note off [root@localhost ~]# vim /etc/sysctl.conf user.max_user_namespaces=15000
In normal users, these fields are default
graphroot="$HOME/.local/share/containers/storage" runroot="$XDG_RUNTIME_DIR/containers"
registries.conf
The configuration is read in in this order. These files are not created by default. You can copy / etc/containers from / usr/share/containers and modify them.
[root@localhost ~]# find / -name registries.conf /etc/containers/registries.conf [root@localhost ~]# 1./etc/containers/registries.conf 2./etc/containers/registries.d/* 3.HOME/.config/containers/registries.conf
The password of the docker account is written in this file and displayed in encrypted form
No root user and root user naming authorization are the same
//No root user [root@localhost ~]# su - laoliu [laoliu@localhost ~]$ find / -name auth.json [laoliu@localhost ~]$ cat /tmp/podman-run-1001/containers/auth.json { "auths": { "docker.io": { "auth": "MGI4ZDU3MmQxYzdkOjEyMzQ1Njc4OQ==" } } }[laoliu@localhost ~]$ //This is the root user [root@localhost ~]# podman login Username: 0b8d572d1c7d Password: Login Succeeded! [root@localhost ~]# find / -name auth.json /run/user/0/containers/auth.json [root@localhost ~]# cat /run/user/0/containers/auth.json { "auths": { "docker.io": { "auth": "MGI4ZDU3MmQxYzdkOjEyMzQ1Njc4OQ==" } } }[root@localhost ~]#
Ordinary users cannot see the image of the root user
//root user [root@localhost ~]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/httpd latest ea28e1b82f31 11 days ago 146 MB //Ordinary user [root@localhost ~]# su - laoliu [zz@localhost ~]$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE
volume
If the container runs with the root user, the user in the root container is actually the user on the host.
UID GID is the first UID GID specified in the user mapping in / etc/subuid and / etc/subgid.
If you mount a file from the host directory to the container as an ordinary user and create a file as a root user in the directory, you will see that it is actually owned by your user on the host.
Use volume