如何从容器中 运行 podman?
How to run podman from inside a container?
我想 运行 podman 作为 运行 CI/CD 管道的容器。但是,我不断从 podman 容器中收到此错误:
$ podman info
ERRO[0000] 'overlay' is not supported over overlayfs
Error: could not get runtime: 'overlay' is not supported over overlayfs: backing file system is unsupported for this graph driver
我正在使用 Jenkins Kubernetes plugin 编写 CI/CD 管道 运行 作为 Kubernetes 集群中的容器。我已经成功地将使用 Docker-in-Docker 容器的管道编写到 运行 docker build 和 docker push 命令。
然而,运行在容器中安装 Docker 客户端和 Docker 守护进程会使 CI/CD 环境非常臃肿,难以配置,而且并不理想跟...共事。所以我想我可以使用 podman 从 Docker 文件构建 Docker 图像,而无需使用胖 Docker 守护进程。
问题是 podman 太新了,我以前从未见过有人尝试过这个,我也不是一个足够的 podman 专家来正确执行这个。
因此,使用 podman installation instructions for Ubuntu 我创建了以下 Docker 文件:
FROM ubuntu:16.04
RUN apt-get update -qq \
&& apt-get install -qq -y software-properties-common uidmap \
&& add-apt-repository -y ppa:projectatomic/ppa \
&& apt-get update -qq \
&& apt-get -qq -y install podman
# To keep it running
CMD tail -f /dev/null
所以我构建了图像并 运行 如下:
# Build
docker build -t podman:ubuntu-16.04 .
# Run
docker run --name podman -d podman:ubuntu-16.04
然后当 运行在 运行ning 容器上执行此命令时,出现错误:
$ docker exec -ti podman bash -c "podman info"
ERRO[0000] 'overlay' is not supported over overlayfs
Error: could not get runtime: 'overlay' is not supported over overlayfs: backing file system is unsupported for this graph driver
我在我拥有的 Ubuntu 16.04 机器上安装了 podman 并且 运行 使用相同的 podman info 命令我得到了预期的结果:
host:
BuildahVersion: 1.8-dev
Conmon:
package: 'conmon: /usr/libexec/crio/conmon'
path: /usr/libexec/crio/conmon
version: 'conmon version , commit: '
Distribution:
distribution: ubuntu
version: "16.04"
MemFree: 2275770368
MemTotal: 4142137344
OCIRuntime:
package: 'cri-o-runc: /usr/lib/cri-o-runc/sbin/runc'
path: /usr/lib/cri-o-runc/sbin/runc
version: 'runc version spec: 1.0.1-dev'
SwapFree: 2146758656
SwapTotal: 2146758656
arch: amd64
cpus: 2
hostname: jumpbox-4b3620b3
kernel: 4.4.0-141-generic
os: linux
rootless: false
uptime: 222h 46m 33.48s (Approximately 9.25 days)
insecure registries:
registries: []
registries:
registries:
- docker.io
store:
ConfigFile: /etc/containers/storage.conf
ContainerStore:
number: 0
GraphDriverName: overlay
GraphOptions: null
GraphRoot: /var/lib/containers/storage
GraphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 15
RunRoot: /var/run/containers/storage
VolumePath: /var/lib/containers/storage/volumes
有谁知道如何修复此错误并让 podman 从容器中运行?
您的 Dockerfile 也应该安装 iptables:
FROM ubuntu:16.04
RUN apt-get update -qq \
&& apt-get install -qq -y software-properties-common uidmap \
&& add-apt-repository -y ppa:projectatomic/ppa \
&& apt-get update -qq \
&& apt-get -qq -y install podman \
&& apt-get install -y iptables
# To keep it running
CMD tail -f /dev/null
然后 运行 命令为:
docker run -ti --rm podman:test bash -c "podman --storage-driver=vfs info"
这应该会给您预期的答复。
我自己用更宽松的配置 (--privileged=true) 尝试了这个,从主机安装了存储卷,还在容器中安装了 iptables,并且能够 运行它(即 sudo apt-get install iptables)。
$ podman run -it --rm -v /var/run/containers/storage:/var/run/containers/storage -v /var/lib/containers/storage:/var/lib/containers/storage --storage-driver=overlay --privileged=true mine bash
root@e275668d7c36:/# apt-get install -y -qq iptables
...
root@e275668d7c36:/# podman info
host:
BuildahVersion: 1.8-dev
Conmon:
package: 'conmon: /usr/libexec/crio/conmon'
path: /usr/libexec/crio/conmon
version: 'conmon version , commit: '
Distribution:
distribution: ubuntu
version: "16.04"
MemFree: 71659520
MemTotal: 482099200
OCIRuntime:
package: 'cri-o-runc: /usr/lib/cri-o-runc/sbin/runc'
path: /usr/lib/cri-o-runc/sbin/runc
version: 'runc version spec: 1.0.1-dev'
SwapFree: 0
SwapTotal: 0
arch: amd64
cpus: 2
hostname: e275668d7c36
kernel: 4.15.0-1035-aws
os: linux
rootless: false
uptime: 315h 17m 53s (Approximately 13.12 days)
insecure registries:
registries: []
registries:
registries: []
store:
ConfigFile: /etc/containers/storage.conf
ContainerStore:
number: 2
GraphDriverName: overlay
GraphOptions: null
GraphRoot: /var/lib/containers/storage
GraphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 4
RunRoot: /var/run/containers/storage
VolumePath: /var/lib/containers/storage/volumes
如果您想使用 docker,您也可以使用 --privileged 标志。
请记住,还有其他专门用于构建容器的工具,其中一些没有特权模式:
mihai 的建议在 info 上成功了,但是我一尝试,例如 run --rm docker.io/library/hello-world,我就得到一个错误:
error creating network namespace for container …: mount --make-rshared /var/run/netns failed: "operation not permitted"
failed to mount shm tmpfs "/var/lib/containers/storage/vfs-containers/…/userdata/shm": operation not permitted
我只设法通过为图像设置 non-root 用户然后 运行 特权模式下的容器来解决这个问题,这违背了练习的目的,因为 DinD 已经可以做到这一点:
FROM ubuntu:18.04
RUN apt-get update -qq \
&& apt-get install -qq -y software-properties-common uidmap \
&& add-apt-repository -y ppa:projectatomic/ppa \
&& apt-get update -qq \
&& apt-get -qq -y install podman \
&& apt-get install -y iptables
RUN adduser --disabled-login --gecos test test
USER test
ENTRYPOINT ["podman", "--storage-driver=vfs"]
CMD ["info"]
用作
docker build -t podman:test .
docker run --rm --privileged podman:test run --rm docker.io/library/hello-world
我想 运行 podman 作为 运行 CI/CD 管道的容器。但是,我不断从 podman 容器中收到此错误:
$ podman info
ERRO[0000] 'overlay' is not supported over overlayfs
Error: could not get runtime: 'overlay' is not supported over overlayfs: backing file system is unsupported for this graph driver
我正在使用 Jenkins Kubernetes plugin 编写 CI/CD 管道 运行 作为 Kubernetes 集群中的容器。我已经成功地将使用 Docker-in-Docker 容器的管道编写到 运行 docker build 和 docker push 命令。
然而,运行在容器中安装 Docker 客户端和 Docker 守护进程会使 CI/CD 环境非常臃肿,难以配置,而且并不理想跟...共事。所以我想我可以使用 podman 从 Docker 文件构建 Docker 图像,而无需使用胖 Docker 守护进程。
问题是 podman 太新了,我以前从未见过有人尝试过这个,我也不是一个足够的 podman 专家来正确执行这个。
因此,使用 podman installation instructions for Ubuntu 我创建了以下 Docker 文件:
FROM ubuntu:16.04
RUN apt-get update -qq \
&& apt-get install -qq -y software-properties-common uidmap \
&& add-apt-repository -y ppa:projectatomic/ppa \
&& apt-get update -qq \
&& apt-get -qq -y install podman
# To keep it running
CMD tail -f /dev/null
所以我构建了图像并 运行 如下:
# Build
docker build -t podman:ubuntu-16.04 .
# Run
docker run --name podman -d podman:ubuntu-16.04
然后当 运行在 运行ning 容器上执行此命令时,出现错误:
$ docker exec -ti podman bash -c "podman info"
ERRO[0000] 'overlay' is not supported over overlayfs
Error: could not get runtime: 'overlay' is not supported over overlayfs: backing file system is unsupported for this graph driver
我在我拥有的 Ubuntu 16.04 机器上安装了 podman 并且 运行 使用相同的 podman info 命令我得到了预期的结果:
host:
BuildahVersion: 1.8-dev
Conmon:
package: 'conmon: /usr/libexec/crio/conmon'
path: /usr/libexec/crio/conmon
version: 'conmon version , commit: '
Distribution:
distribution: ubuntu
version: "16.04"
MemFree: 2275770368
MemTotal: 4142137344
OCIRuntime:
package: 'cri-o-runc: /usr/lib/cri-o-runc/sbin/runc'
path: /usr/lib/cri-o-runc/sbin/runc
version: 'runc version spec: 1.0.1-dev'
SwapFree: 2146758656
SwapTotal: 2146758656
arch: amd64
cpus: 2
hostname: jumpbox-4b3620b3
kernel: 4.4.0-141-generic
os: linux
rootless: false
uptime: 222h 46m 33.48s (Approximately 9.25 days)
insecure registries:
registries: []
registries:
registries:
- docker.io
store:
ConfigFile: /etc/containers/storage.conf
ContainerStore:
number: 0
GraphDriverName: overlay
GraphOptions: null
GraphRoot: /var/lib/containers/storage
GraphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 15
RunRoot: /var/run/containers/storage
VolumePath: /var/lib/containers/storage/volumes
有谁知道如何修复此错误并让 podman 从容器中运行?
您的 Dockerfile 也应该安装 iptables:
FROM ubuntu:16.04
RUN apt-get update -qq \
&& apt-get install -qq -y software-properties-common uidmap \
&& add-apt-repository -y ppa:projectatomic/ppa \
&& apt-get update -qq \
&& apt-get -qq -y install podman \
&& apt-get install -y iptables
# To keep it running
CMD tail -f /dev/null
然后 运行 命令为:
docker run -ti --rm podman:test bash -c "podman --storage-driver=vfs info"
这应该会给您预期的答复。
我自己用更宽松的配置 (--privileged=true) 尝试了这个,从主机安装了存储卷,还在容器中安装了 iptables,并且能够 运行它(即 sudo apt-get install iptables)。
$ podman run -it --rm -v /var/run/containers/storage:/var/run/containers/storage -v /var/lib/containers/storage:/var/lib/containers/storage --storage-driver=overlay --privileged=true mine bash
root@e275668d7c36:/# apt-get install -y -qq iptables
...
root@e275668d7c36:/# podman info
host:
BuildahVersion: 1.8-dev
Conmon:
package: 'conmon: /usr/libexec/crio/conmon'
path: /usr/libexec/crio/conmon
version: 'conmon version , commit: '
Distribution:
distribution: ubuntu
version: "16.04"
MemFree: 71659520
MemTotal: 482099200
OCIRuntime:
package: 'cri-o-runc: /usr/lib/cri-o-runc/sbin/runc'
path: /usr/lib/cri-o-runc/sbin/runc
version: 'runc version spec: 1.0.1-dev'
SwapFree: 0
SwapTotal: 0
arch: amd64
cpus: 2
hostname: e275668d7c36
kernel: 4.15.0-1035-aws
os: linux
rootless: false
uptime: 315h 17m 53s (Approximately 13.12 days)
insecure registries:
registries: []
registries:
registries: []
store:
ConfigFile: /etc/containers/storage.conf
ContainerStore:
number: 2
GraphDriverName: overlay
GraphOptions: null
GraphRoot: /var/lib/containers/storage
GraphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 4
RunRoot: /var/run/containers/storage
VolumePath: /var/lib/containers/storage/volumes
如果您想使用 docker,您也可以使用 --privileged 标志。
请记住,还有其他专门用于构建容器的工具,其中一些没有特权模式:
mihai 的建议在 info 上成功了,但是我一尝试,例如 run --rm docker.io/library/hello-world,我就得到一个错误:
error creating network namespace for container …: mount --make-rshared /var/run/netns failed: "operation not permitted"
failed to mount shm tmpfs "/var/lib/containers/storage/vfs-containers/…/userdata/shm": operation not permitted
我只设法通过为图像设置 non-root 用户然后 运行 特权模式下的容器来解决这个问题,这违背了练习的目的,因为 DinD 已经可以做到这一点:
FROM ubuntu:18.04
RUN apt-get update -qq \
&& apt-get install -qq -y software-properties-common uidmap \
&& add-apt-repository -y ppa:projectatomic/ppa \
&& apt-get update -qq \
&& apt-get -qq -y install podman \
&& apt-get install -y iptables
RUN adduser --disabled-login --gecos test test
USER test
ENTRYPOINT ["podman", "--storage-driver=vfs"]
CMD ["info"]
用作
docker build -t podman:test .
docker run --rm --privileged podman:test run --rm docker.io/library/hello-world