This article was first published in the wechat public account “Beauty of Operation and Maintenance”, the public account ID: Hi-Linux.
“Beauty of Operation and maintenance” is a feeling, attitude, dedicated to Linux operation and maintenance related technical articles to share the public account. The public account is dedicated to sharing all kinds of technical articles and publishing the most cutting-edge scientific and technological information for the majority of operation and maintenance workers. The core concept of the official account is: sharing, we believe that only sharing can make our group stronger. If you want to be the first to get the latest technical articles, please follow us!
Mike, the author of the public account, earns 3000 yuan a month as a handyman. Engaged in IT related work for 15+ years, keen on Internet technology field, identify with open source culture, have their own unique insights on operation and maintenance related technology. I am willing to share my accumulated experience, experience and skills with you. Don’t miss the dry goods. If you want to contact me, you can follow the public account for relevant information.
What is a Linux container? Linux containers are processes with specific isolation capabilities provided by the Linux kernel. Linux container technology allows you to package or isolate your application and its entire runtime environment, including all required files. This allows you to easily migrate your application between different environments (such as development, test, and production) while retaining full functionality of your application.
Linux containers also facilitate a clear delineation of responsibilities, reducing conflict between development and operations teams. This allows developers to focus on application development while the operations team can focus on infrastructure maintenance. Because the Linux container is built on open source technology, it will also make it easier for you to adopt newer, more powerful technology products in the future. Container technologies, including Cri-O, Kubernetes, and Docker, can help your team simplify, speed up, and orchestrate application development and deployment.
What is a Docker? Docker is an open source application container engine, which belongs to a package of Linux containers. Docker provides an easy-to-use container interface, allowing developers to package their applications and dependency packages into a portable container, and then publish them to any popular Linux machine. Containers are completely sandboxed and have no interface with each other.
Docker is currently the most popular Linux container solution. Even though Docker is currently a very convenient tool for managing Linux containers, it also has two disadvantages:
Docker needs to run a daemon on your system.
Docker runs this daemon on your system as root.
The existence of these shortcomings may have certain security risks, to solve these problems, the next generation of container chemical tool Podman appears.
What is Podman?
Podman is an open source container runtime project that is available on most Linux platforms. Podman provides very similar functionality to Docker. As mentioned earlier, it doesn’t need to run any daemons on your system, and it can also run without root privileges.
Podman can manage and run any Container and Container image that conforms to the OCI (Open Container Initiative) specification. Podman provides a Docker-compatible command-line front end to manage Docker images.
Podman’s website is podman. IO /
Podman project address: github.com/containers/…
Podman now supports most distributions that can be installed through a software package. Here are some examples of common distributions.
Fedora / CentOS sudo apt-get update -qq sudo add-apt-repository -y ppa:projectatomic/ppa sudo apt-get -qq -y install podman MacOS sudo subscription-manager repos –enable=rhel-7-server-extras-rpms Sudo Pacman -S Podman is an easy way to install sudo pacman.Github.com/containers/…
Using Podman is very easy, Podman commands are mostly the same as Docker commands. Let’s look at some common examples:
Running a containerPodman PS-A analyzes a running containerSudo podman logs –latest 10.88.0.1 — [07/Feb/2018:15:22:11 +0000] “GET/HTTP/1.1” 200 612 “-” “curl/ 5.55.1 “”-” 10.88.0.1 – [07 / Feb / 2018:15:22:30 + 0000] “the GET/HTTP / 1.1” 200 612 “-” “curl / 7.55.1” “-” 10.88.0.1… [07 / Feb / 2018:15:22:30 + 0000] “the GET/HTTP / 1.1” 200 “, “612” curl / 7.55.1 “” -” 10.88.0.1 – [07 / Feb / 2018:15:22:31 + 0000] “GET/HTTP / 1.1” 200 612 “-” “curl / 7.55.1” “-” 10.88.0.1 – [07 / Feb / 2018:15:22:31 + 0000] “the GET/HTTP / 1.1” 200 612 “-” “Curl /7.55.1” “-” Displays the resource usage of a running containerSudo Podman stop –latest Delete a container $sudo podman rm –latest These features are basically the same as Docker, podman is compatible with these features, but also supports some new features.
$sudo podman container checkpoint
Requires CRIU 3.11 or later. CRIU project address: criu.org/
$sudo Podman container restore <container_id> Migration Of containers Podman supports migration of containers from one machine to another.
First, the container is checked on the source machine and packaged to the specified location.
SCP/TMP /checkpoint.tar.gz <destination_system>:/ TMP Next, restore the container on the destination machine using the package file transferred from the source machine.
$sudo podman container restore -i/TMP /checkpoint.tar.gz Configure alias if you are used to using Docker commands, you can directly configure an alias for Podman for seamless transfer. You just need to add the following line under.bashrc:
Bashrc Podman does not automatically restart containers because Podman no longer uses daemon management services. So if you want to achieve automatic restart container boot, and how to achieve?
In fact, the method is very simple, now most systems have adopted Systemd as a daemon management tool. Here we can use Systemd to implement Podman restart container, let’s start an Nginx container as an example.
First, let’s run an Nginx container.
$sudo podman run -t -d -p 80:80 –name nginx nginx
$ vim /etc/systemd/system/nginx_container.service
[Unit] Description=Podman Nginx Service After=network.target After=network-online.target
[Service] Type=simple ExecStart=/usr/bin/podman start -a nginx ExecStop=/usr/bin/podman stop -t 10 nginx Restart=always
[Install] WantedBy=multi-user.target Next, enable the Systemd service.
Service $sudo systemctl start nginx_container.service You can check the health of the service by using the systemctl status command.
$sudo systemctl status nginx_container.service – Podman Nginx service Loaded: loaded (/etc/systemd/system/nginx_container.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2019-08-20 20:59:26 UTC; 1min 41s ago Main PID: 845 (Podman) Tasks: 16 (Limit: 4915) Memory: 37.5m CGroup: /system.slice/nginx_container. Service ├ ─ 855 /usr/bin/podman start -a nginx
Aug 20 20:59:26 Ubuntu-dev.novalocal systemd[1]: Started Podman Nginx Service. Each time the system restarts, Systemd automatically starts the container corresponding to the service.
Podman is part of the OCI Container Ecosystem initiative and focuses on helping users maintain and modify OCI compliant container images. Other components include Buildah, Skopeo, etc.
Buildah
Podman also allows users to build Docker images, but they are slower to build. And using VFS storage drivers by default consumes a lot of disk space.
Buildah is a tool focused on building OCI container images. Buildah builds very fast and uses overwrite storage drivers to save a lot of space.
Buildah is based on the fork-exec model and does not run as a daemon. Buildah supports all the commands in Dockerfile. You can build images directly using Dockerfiles and do not need any root permissions. Buildah also supports building images with its own syntax files, allowing other scripting languages to be integrated into the build process.
Here is an example of a build using Buidah’s own syntax.
One major difference between Buildah and Podman is that Podman is used to run and manage containers, allowing us to manage and maintain these images and containers in a production environment using familiar container CLI commands, while Buildah is mainly used to build containers.
Project address: github.com/containers/…
Skopeo Skopeo is an image management tool that allows us to handle Docker and OCI compliant images by pushing, pulling, and copying them.
Project address: github.com/containers/…
What is OCI? OCI (Open Container Initiative) is a lightweight, Open governance structure (project). Founded with the support of the Linux Foundation, it strives to create open industry standards around container formats and runtimes.
OCI was launched in June 2015 by Docker, CoreOS, and other leaders in the container industry, OCI’s technical committee members include Red Hat, Microsoft, Docker, Cruise, IBM, Google, Red Hat and SUSE, among others.
What is CRI? Container Runtime Interface (CRI) is a Container Runtime Interface introduced by Kubernetes V1.5. It decouples Kubelet from the Container Runtime. The original internal interface, which was completely poD-oriented, was split into gRPC interfaces for Sandbox and Container, and image management and Container management were separated into different services.
What is CNI? Container Network Interface (CNI) is a project of CNCF. It is a Container Network standard developed by Google and CoreOS. CNI contains method specifications, parameter specifications, etc. It is a set of standards and libraries for Linux container network configuration. Users can develop their own container network plug-ins according to these standards and libraries. CNI has been used by Kubernetes, Mesos, Cloud Foundry, RKT and others, while Calico, Weave and other projects are providing plug-ins for CNI.
Summary This article introduces three CRI compliant container tools, Podman, Buildah, and Skopeo. All three tools are based on the * NIx traditional fork-exec model and improve container performance and security by addressing startup and security issues caused by Docker daemons.
Author: HiLinux links: www.jianshu.com/p/56d66837d… The copyright of the book belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.