Podman Introduction to practice

What is Podman

1. Podman concept

Podman is a dauntless, open source native tool for Linux designed to make it easier for Containers and images to find, run, build, share, and deploy applications using the Open Containers Initiative (OCI). Podman provides a command line interface (CLI) that is instantly accessible to anyone who has used the Docker container engine. Most users can simply alias Podman to Docker (Alias Docker = Podman) without any problems. Like other common container engines (Docker, Cri-O, Containerd), Podman relies on ocI-compliant container runtimes (RUNc, Cron, RUNV, and so on) to interact with the operating system and create running containers. This makes a running container created by Podman virtually indistinguishable from one created by any other general-purpose container engine.

2. Podman:Podman. IO/getting – sta…

Podman and Docker

Podman is similar to Docker, but Podman does not have daemons. When using the Docker CLI, the Docker CLI would say to the Docker Engine “I want to start a container” through the gRPC API. The Docker Engine then starts a Container through the OCI Container Runtime (runc by default). This means that the container process cannot be a child of the Docker CLI, but of the Docker Engine.

Podman is fairly crude. Instead of daemons, it starts containers directly through the OCI Runtime (also runc by default), so the container’s processes are Podman’s children. This is more like the Fork /exec model of Linux, whereas Docker uses the C/S (client/server) model. The fork/exec model has many advantages over the C/S model, such as:

• The system administrator can know who started a container process.
• If the use ofcgroupPut some restrictions on Podman, and all containers created will be limited.
• If you put the podman command insystemdIn the unit file, the container process can return a notification via Podman indicating that the service is ready to receive the task.
• Can be connectedsocketPass them from Systemd to Podman and to the container process to use them.

Podman has no daemons

• The docker server

  ps -aux | grep docker
  Copy the code

  

  Docker starts a daemon called Dockerd.

• Podman server

  ps -aux | grep podman
  Copy the code

  

  As you can see, there is no information about Podman’s process at all.

Podman has different permissions than Docker

1. Common user rights

   • Example Create demo for common users

     # useradd demo # passwd demoCopy the code

   • The docker server

     # docker version # sudo docker version // Add demo users to /etc/sudoers in advanceCopy the code

     

     If you do not add sudo, you do not have permission to operate docker.

   • Podman server

     # switch to demo user # su - demo // need to use -, otherwise there will be permission issues # podman versionCopy the code

     

     You can use Podman without adding sudo.

2. Docker container internal permissions on host files
   

   Docker has always had a problem. If demo users join the Docker user group, Demo users can create containers. If files that demo users do not have permissions are mapped into containers, they can modify and view files in containers. Does Podman have the same problem?

   • The docker server

     • Assign user groups to Demo users:usermod -g docker demo
     • Example Delete the sudo permission of demo user

     # vim /etc/sudoers
     #Delete the demo line
     Copy the code

     • Verification permission:

     # su - demo
     # sudo cat /etc/sudoers
     Copy the code

     

     • Use docker to create a container and map the /etc/sudoers file to the container

     # # run a container docker run - it - v/etc/sudoers: / home/sudoers busybox sh # into the container after modify/etc/sudoers file content, Add demo permissions to # vi /home/sudoersCopy the code

     

     • After exiting the container, look again at permissions

     # sudo cat /etc/sudoers
     Copy the code

     

     You can see the contents of this file. Isn’t it very insecure?

   • Podman server

     • View the permissions of the Demo user before creating the container.

     # sudo cat /etc/sudoers
     Copy the code

     

     • Run a container the way docker does

     # podman run -it -v /etc/sudoers:/home/sudoers busybox sh
     #When you enter the container, you will find that the /home/sudoers file is empty and that you have no permissions
     # cat /home/sudoers
     Copy the code

     

     There is no way to modify the file that has no permissions, so why is the file mapped in, why can’t the file be changed?

   • Container process View

     In Linux, containers exist in the system in the form of processes (if you are interested, you can look them up, not elaborate here). The difference between podman’s processes and Docker’s causes podman to map root files but cannot modify them.

     • Daemon run container

     # # docker docker server run - it - d - the name = busybox - v/etc/sudoers: / home/sudoers busybox # # podman podman server run - it - d -v /etc/sudoers:/home/sudoers busybox --name busyboxCopy the code

     • View processes by container ID

     # # # docker server docker ps ps - aux | grep 46 # # f121aff161 podman server podman ps # ps - aux | grep 240842862 d24Copy the code

     

     

     When podman runs as user Demo, the process is using user Demo. Therefore, when you attempt to access root files as user Demo, you will be prompted that you have no permissions.

Install podman

• Installation documentation: Podman. IO /getting-sta…

• CentOS

  # Centos 7curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/devel:kubic:libcontainers:stable .repo yum -y install podman
  # Centos 8sudo dnf -y module disable container-tools sudo dnf -y install 'dnf-command(copr)' sudo dnf -y copr enable rhcontainerbot/container-selinux sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable .repo sudo dnf -y install podmanCopy the code

  

4. Use Podman

• View help:podman --help

  You can find that the use of docker can be said to be the same as docker, do not worry about switching from Docker to Podman will have an unaccustomed. If you are not used to using podman commands, you can use alias Docker =podman to map the docker commands.

• Configuration to accelerate address: vim/etc/containers/registries. Conf

  . IO registry. # PS: Do not curate, patch or maintain container images from the docker. IO registry. When adding acceleration addresses, There cannot be HTTP or HTTPS [registries. Search] registries = [' registry.access.redhat.com ', 'registry. Redhat. IO', 'docker. IO, 'xxx.mirror.aliyuncs.com'] ...Copy the code

• Pull mirror:podman pull busybox

• Start container:podman run -it busybox sh

• Mapping command docker:alias docker=podman

Five, the summary

• Podman can replace Docker as a container management tool. Because there is no daemon, it consumes less system resources than when docker was used.
• Podman does not have the same root permissions as Docker, so it feels more secure than Docker.
• Podman is used in exactly the same way as Docker, and there is no problem transferring directly from Docker.

The resources

• Blog.csdn.net/alex_yangch…