Podman中的Podman,类似于Docker中的Docker?
Podman in Podman, similar to Docker in Docker?
有没有办法在 Podman 中 运行 Podman,类似于 运行 Docker 在 Docker 中的方法?
这是我的 Docker 文件的一个片段,它强烈基于 :
FROM debian:10.6
RUN apt update && apt upgrade -qqy && \
apt install -qqy iptables bridge-utils \
qemu-kvm libvirt-daemon libvirt-clients virtinst libvirt-daemon-system \
cpu-checker kmod && \
apt -qqy install curl sudo gnupg2 && \
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list && \
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/Release.key | sudo apt-key add - && \
apt update && \
apt -qqy install podman
现在尝试一些测试:
$ podman run -it my/test bash -c "podman --storage-driver=vfs info"
... (long output; this works fine)
$ podman run -it my/test bash -c "podman --storage-driver=vfs images"
ERRO[0000] unable to write system event: "write unixgram @000ec->/run/systemd/journal/socket: sendmsg: no such file or directory"
REPOSITORY TAG IMAGE ID CREATED SIZE
$ podman run -it my/test bash -c "podman --storage-driver=vfs run docker.io/library/hello-world"
ERRO[0000] unable to write system event: "write unixgram @000ef->/run/systemd/journal/socket: sendmsg: no such file or directory"
Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 done
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures
ERRO[0003] unable to write pod event: "write unixgram @000ef->/run/systemd/journal/socket: sendmsg: no such file or directory"
ERRO[0003] Error preparing container 66692b7ff496775499d405d538769a078f2794549955cf2409fcbcbf87f42e94: error creating network namespace for container 66692b7ff496775499d405d538769a078f2794549955cf2409fcbcbf87f42e94: mount --make-rshared /var/run/netns failed: "operation not permitted"
Error: failed to mount shm tmpfs "/var/lib/containers/storage/vfs-containers/66692b7ff496775499d405d538769a078f2794549955cf2409fcbcbf87f42e94/userdata/shm": operation not permitted
我也尝试了 的建议,通过了 --cgroup-manager=cgroupfs,但没有成功:
$ podman run -it my/test bash -c "podman --storage-driver=vfs --cgroup-manager=cgroupfs run docker.io/library/hello-world"
Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 done
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures
ERRO[0003] unable to write pod event: "write unixgram @000f3->/run/systemd/journal/socket: sendmsg: no such file or directory"
ERRO[0003] Error preparing container c3fff4d8161903aaebd6f89f3b3c06b55038e11e07b6b561dc6576ca675747a3: error creating network namespace for container c3fff4d8161903aaebd6f89f3b3c06b55038e11e07b6b561dc6576ca675747a3: mount --make-rshared /var/run/netns failed: "operation not permitted"
Error: failed to mount shm tmpfs "/var/lib/containers/storage/vfs-containers/c3fff4d8161903aaebd6f89f3b3c06b55038e11e07b6b561dc6576ca675747a3/userdata/shm": operation not permitted
似乎需要进行一些网络配置。我发现下面的项目表明可能需要对网络配置进行一些调整,但我不知道它的上下文是什么以及它是否适用于此处。
https://github.com/joshkunz/qemu-docker
编辑:我刚刚发现/var/run/podman.sock,但也没有成功:
$ sudo podman run -it -v /run/podman/podman.sock:/run/podman/podman.sock my/test bash -c "podman --storage-driver=vfs --cgroup-manager=cgroupfs run docker.io/library/hello-world"
Trying to pull my/test...
denied: requested access to the resource is denied
Trying to pull my:test...
unauthorized: access to the requested resource is not authorized
Error: unable to pull my/text: 2 errors occurred:
* Error initializing source docker://my/test: Error reading manifest latest in docker.io/my/test: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
* Error initializing source docker://quay.io/my/test:latest: Error reading manifest latest in quay.io/my/test: unauthorized: access to the requested resource is not authorized
似乎 root 看不到我在我的用户下创建的图像。
有什么想法吗?谢谢。
假设我们想 运行 ls / 在 docker.io/library/alpine 容器中。
标准 Podman
podman run --rm docker.io/library/alpine ls /
Podman 中的 Podman
让我们 运行 ls / 在 docker.io/library/alpine 容器中,但是这次我们 运行 podman 在 码头。io/podman/stable 集装箱。
2021 年 6 月更新
A GitHub issue comment 展示了如何在主机和外部容器中以 non-root 用户身份在 Podman 中 运行 Podman。稍微修改一下,它看起来像这样:
podman \
run \
--rm \
--security-opt label=disable \
--user podman \
quay.io/podman/stable \
podman \
run \
--rm \
docker.io/library/alpine \
ls /
这是一个完整的例子:
$ podman --version
podman version 3.2.1
$ cat /etc/fedora-release
Fedora release 34 (Thirty Four)
$ uname -r
5.12.11-300.fc34.x86_64
$ podman \
run \
--rm \
--security-opt label=disable \
--user podman \
quay.io/podman/stable \
podman \
run \
--rm \
docker.io/library/alpine \
ls /
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b
Copying config sha256:d4ff818577bc193b309b355b02ebc9220427090057b54a59e73b79bdfe139b83
Writing manifest to image destination
Storing signatures
bin
dev
etc
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$
为避免重复下载内部容器镜像,
创建卷
podman volume create mystorage
并添加 command-line 选项
-v mystorage:/home/podman/.local/share/containers:rw
到外部 Podman 命令。也就是说
podman \
run \
-v mystorage:/home/podman/.local/share/containers:rw \
--rm \
--security-opt label=disable \
--user podman \
quay.io/podman/stable \
podman \
run \
--rm \
docker.io/library/alpine \
ls /
Podman 中的 Podman(过时的答案)
(2020 年 12 月的旧答案。当很明显这里描述的方法已经过时时,我可能会删除它)
让我们 运行 ls / 在 docker.io/library/alpine 容器中,但是这次我们 运行 podman 在 码头。io/podman/stable 集装箱。
命令将如下所示:
podman \
run \
--privileged \
--rm \
--ulimit host \
-v /dev/fuse:/dev/fuse:rw \
-v ./mycontainers:/var/lib/containers:rw \
quay.io/podman/stable \
podman \
run \
--rm \
--user 0 \
docker.io/library/alpine ls
(目录./mycontainers这里是用来存放容器的)
这是一个完整的例子
$ podman --version
podman version 2.1.1
$ mkdir mycontainers
$ podman run --privileged --rm --ulimit host -v /dev/fuse:/dev/fuse:rw -v ./mycontainers:/var/lib/containers:rw quay.io/podman/stable podman run --rm --user 0 docker.io/library/alpine ls | head -5
Trying to pull docker.io/library/alpine...
Getting image source signatures
Copying blob sha256:188c0c94c7c576fff0792aca7ec73d67a2f7f4cb3a6e53a84559337260b36964
Copying config sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0
Writing manifest to image destination
Storing signatures
bin
dev
etc
home
lib
$ podman run --privileged --rm --ulimit host -v /dev/fuse:/dev/fuse:rw -v ./mycontainers:/var/lib/containers:rw quay.io/podman/stable podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest d6e46aa2470d 4 days ago 5.85 MB
如果您省略 -v ./mycontainers:/var/lib/containers:rw,您可能会看到稍微令人困惑的错误消息
Error: executable file `ls` not found in $PATH: No such file or directory: OCI runtime command not found error
参考文献:
How to use Podman inside of a container 红帽博客 post 自 2021 年 7 月起。
discussion.fedoraproject.org(关于在$PATH中找不到的讨论)
github comment(在 Podman 中提供有关 运行 Podman 的正确方法的建议)
有没有办法在 Podman 中 运行 Podman,类似于 运行 Docker 在 Docker 中的方法?
这是我的 Docker 文件的一个片段,它强烈基于
FROM debian:10.6
RUN apt update && apt upgrade -qqy && \
apt install -qqy iptables bridge-utils \
qemu-kvm libvirt-daemon libvirt-clients virtinst libvirt-daemon-system \
cpu-checker kmod && \
apt -qqy install curl sudo gnupg2 && \
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list && \
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/Release.key | sudo apt-key add - && \
apt update && \
apt -qqy install podman
现在尝试一些测试:
$ podman run -it my/test bash -c "podman --storage-driver=vfs info"
... (long output; this works fine)
$ podman run -it my/test bash -c "podman --storage-driver=vfs images"
ERRO[0000] unable to write system event: "write unixgram @000ec->/run/systemd/journal/socket: sendmsg: no such file or directory"
REPOSITORY TAG IMAGE ID CREATED SIZE
$ podman run -it my/test bash -c "podman --storage-driver=vfs run docker.io/library/hello-world"
ERRO[0000] unable to write system event: "write unixgram @000ef->/run/systemd/journal/socket: sendmsg: no such file or directory"
Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 done
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures
ERRO[0003] unable to write pod event: "write unixgram @000ef->/run/systemd/journal/socket: sendmsg: no such file or directory"
ERRO[0003] Error preparing container 66692b7ff496775499d405d538769a078f2794549955cf2409fcbcbf87f42e94: error creating network namespace for container 66692b7ff496775499d405d538769a078f2794549955cf2409fcbcbf87f42e94: mount --make-rshared /var/run/netns failed: "operation not permitted"
Error: failed to mount shm tmpfs "/var/lib/containers/storage/vfs-containers/66692b7ff496775499d405d538769a078f2794549955cf2409fcbcbf87f42e94/userdata/shm": operation not permitted
我也尝试了 --cgroup-manager=cgroupfs,但没有成功:
$ podman run -it my/test bash -c "podman --storage-driver=vfs --cgroup-manager=cgroupfs run docker.io/library/hello-world"
Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 done
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures
ERRO[0003] unable to write pod event: "write unixgram @000f3->/run/systemd/journal/socket: sendmsg: no such file or directory"
ERRO[0003] Error preparing container c3fff4d8161903aaebd6f89f3b3c06b55038e11e07b6b561dc6576ca675747a3: error creating network namespace for container c3fff4d8161903aaebd6f89f3b3c06b55038e11e07b6b561dc6576ca675747a3: mount --make-rshared /var/run/netns failed: "operation not permitted"
Error: failed to mount shm tmpfs "/var/lib/containers/storage/vfs-containers/c3fff4d8161903aaebd6f89f3b3c06b55038e11e07b6b561dc6576ca675747a3/userdata/shm": operation not permitted
似乎需要进行一些网络配置。我发现下面的项目表明可能需要对网络配置进行一些调整,但我不知道它的上下文是什么以及它是否适用于此处。 https://github.com/joshkunz/qemu-docker
编辑:我刚刚发现/var/run/podman.sock,但也没有成功:
$ sudo podman run -it -v /run/podman/podman.sock:/run/podman/podman.sock my/test bash -c "podman --storage-driver=vfs --cgroup-manager=cgroupfs run docker.io/library/hello-world"
Trying to pull my/test...
denied: requested access to the resource is denied
Trying to pull my:test...
unauthorized: access to the requested resource is not authorized
Error: unable to pull my/text: 2 errors occurred:
* Error initializing source docker://my/test: Error reading manifest latest in docker.io/my/test: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
* Error initializing source docker://quay.io/my/test:latest: Error reading manifest latest in quay.io/my/test: unauthorized: access to the requested resource is not authorized
似乎 root 看不到我在我的用户下创建的图像。
有什么想法吗?谢谢。
假设我们想 运行 ls / 在 docker.io/library/alpine 容器中。
标准 Podman
podman run --rm docker.io/library/alpine ls /
Podman 中的 Podman
让我们 运行 ls / 在 docker.io/library/alpine 容器中,但是这次我们 运行 podman 在 码头。io/podman/stable 集装箱。
2021 年 6 月更新
A GitHub issue comment 展示了如何在主机和外部容器中以 non-root 用户身份在 Podman 中 运行 Podman。稍微修改一下,它看起来像这样:
podman \
run \
--rm \
--security-opt label=disable \
--user podman \
quay.io/podman/stable \
podman \
run \
--rm \
docker.io/library/alpine \
ls /
这是一个完整的例子:
$ podman --version
podman version 3.2.1
$ cat /etc/fedora-release
Fedora release 34 (Thirty Four)
$ uname -r
5.12.11-300.fc34.x86_64
$ podman \
run \
--rm \
--security-opt label=disable \
--user podman \
quay.io/podman/stable \
podman \
run \
--rm \
docker.io/library/alpine \
ls /
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b
Copying config sha256:d4ff818577bc193b309b355b02ebc9220427090057b54a59e73b79bdfe139b83
Writing manifest to image destination
Storing signatures
bin
dev
etc
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$
为避免重复下载内部容器镜像, 创建卷
podman volume create mystorage
并添加 command-line 选项
-v mystorage:/home/podman/.local/share/containers:rw
到外部 Podman 命令。也就是说
podman \
run \
-v mystorage:/home/podman/.local/share/containers:rw \
--rm \
--security-opt label=disable \
--user podman \
quay.io/podman/stable \
podman \
run \
--rm \
docker.io/library/alpine \
ls /
Podman 中的 Podman(过时的答案)
(2020 年 12 月的旧答案。当很明显这里描述的方法已经过时时,我可能会删除它)
让我们 运行 ls / 在 docker.io/library/alpine 容器中,但是这次我们 运行 podman 在 码头。io/podman/stable 集装箱。
命令将如下所示:
podman \
run \
--privileged \
--rm \
--ulimit host \
-v /dev/fuse:/dev/fuse:rw \
-v ./mycontainers:/var/lib/containers:rw \
quay.io/podman/stable \
podman \
run \
--rm \
--user 0 \
docker.io/library/alpine ls
(目录./mycontainers这里是用来存放容器的)
这是一个完整的例子
$ podman --version
podman version 2.1.1
$ mkdir mycontainers
$ podman run --privileged --rm --ulimit host -v /dev/fuse:/dev/fuse:rw -v ./mycontainers:/var/lib/containers:rw quay.io/podman/stable podman run --rm --user 0 docker.io/library/alpine ls | head -5
Trying to pull docker.io/library/alpine...
Getting image source signatures
Copying blob sha256:188c0c94c7c576fff0792aca7ec73d67a2f7f4cb3a6e53a84559337260b36964
Copying config sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0
Writing manifest to image destination
Storing signatures
bin
dev
etc
home
lib
$ podman run --privileged --rm --ulimit host -v /dev/fuse:/dev/fuse:rw -v ./mycontainers:/var/lib/containers:rw quay.io/podman/stable podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest d6e46aa2470d 4 days ago 5.85 MB
如果您省略 -v ./mycontainers:/var/lib/containers:rw,您可能会看到稍微令人困惑的错误消息
Error: executable file `ls` not found in $PATH: No such file or directory: OCI runtime command not found error
参考文献:
How to use Podman inside of a container 红帽博客 post 自 2021 年 7 月起。
discussion.fedoraproject.org(关于在$PATH中找不到的讨论)
github comment(在 Podman 中提供有关 运行 Podman 的正确方法的建议)