podman的部署及应用
1.什么是podman
Podman 是一个容器引擎——一个用于开发、管理和运行容器和容器镜像的工具。容器是标准化的、自包含的软件包,其中包含无需定制即可在任何地方运行所需的所有元素,包括应用程序代码和支持库。在过去十年中,基于容器的应用程序彻底改变了软件开发,使分布式和基于云的系统易于部署和维护。
2.podman的部署
//安装podman
[root@loaclhost ~]# dnf -y install podman
//修改配置文件
[root@loaclhost ~]# cd /etc/containers/
[root@loaclhost containers]# ls
certs.d oci policy.json registries.conf registries.conf.d registries.d storage.conf
[root@loaclhost containers]# vim registries.conf
unqualified-search-registries = ["docker.io"] //设置拉取镜像取docker官网拉取
[[registry]]
prefix = "docker.io"
location = "kz7i887.mirror.aliyuncs.com" //配置加速器
3.podman的应用
//拉取镜像
[root@loaclhost containers]# podman pull httpd
Resolving "httpd" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob d982c879c57e done
Copying blob dcc4698797c8 done
Copying blob 67283bbdd4a0 done
Copying blob a2abf6c4d29d done
Copying blob 41c22baa66ec done
Copying config dabbfbe0c5 done
Writing manifest to image destination
Storing signatures
dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34
[root@loaclhost containers]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest 7a80323521cc 2 weeks ago 1.47 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
//创建一个运行的容器
[root@loaclhost ~]# podman run -it busybox
//创建一个容器但没有运行
[root@loaclhost ~]# podman create busybox
3d7460fac9dfaf365dcce8e73175461e0d3b7e457e7ff6cce55b0f127d860484
[root@loaclhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3d7460fac9df docker.io/library/busybox:latest sh 8 seconds ago Created ecstatic_turing
//在容器和本地文件系统之间复制文件/文件夹
[root@loaclhost ~]# ls
anaconda-ks.cfg
[root@loaclhost ~]# podman run -it --name web busybox /bin/sh
/ # ls
bin dev etc home proc root run sys tmp usr var
//将文件cp到web容器的根目录里
[root@loaclhost ~]# podman cp anaconda-ks.cfg web:/
/ # ls
anaconda-ks.cfg etc root tmp
bin home run usr
dev proc sys var
//检查容器文件系统上的更改
[root@loaclhost ~]# podman diff web
C /etc
C /root
A /root/.ash_history
A /anaconda-ks.cfg
//进入正在运行的容器中运行进程
[root@loaclhost ~]# podman exec -it web /bin/sh
/ # ls
anaconda-ks.cfg etc root tmp
bin home run usr
dev proc sys var
//显示指定图像的历史记录
[root@loaclhost ~]# podman history busybox
ID CREATED CREATED BY SIZE COMMENT
7a80323521cc 2 weeks ago /bin/sh -c #(nop) CMD ["sh"] 0 B
<missing> 2 weeks ago /bin/sh -c #(nop) ADD file:03ed8a1a0e4c803... 1.46 MB
//列出本地存储中的图像
[root@loaclhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest 7a80323521cc 2 weeks ago 1.47 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
quay.io/centos/centos latest 300e315adb2f 20 months ago 217 MB
//显示容器或映像的配置
[root@loaclhost ~]# podman inspect busybox
//登录到容器注册表
[root@loaclhost ~]# podman login
Username: 15072814090
Password:
Login Succeeded!
//退出容器注册表
[root@loaclhost ~]# podman logout
Removed login credentials for docker.io
//获取容器的日志
[root@loaclhost ~]# podman logs web
/ # ls
bin dev etc home proc root run sys tmp usr var
/ # ls
anaconda-ks.cfg etc root tmp
bin home run usr
dev proc sys var
/ #
/ # exit
[root@loaclhost ~]#
//列出网络
[root@loaclhost ~]# podman network ls
NETWORK ID NAME VERSION PLUGINS
2f259bab93aa podman 0.4.0 bridge,portmap,firewall,tuning
//暂停一个或多个容器中的所有进程
[root@loaclhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
01f0338da567 docker.io/library/busybox:latest /bin/sh 27 minutes ago Up 19 minutes ago web
[root@loaclhost ~]# podman stop web
web
[root@loaclhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//启动一个或多个容器
[root@loaclhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@loaclhost ~]# podman start web
web
[root@loaclhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
01f0338da567 docker.io/library/busybox:latest /bin/sh 28 minutes ago Up 1 second ago web
//生成的结构化数据
[root@loaclhost ~]# podman generate systemd web --files
/root/container-455079197ffa485c3efae29ac62b3b0d510dee8c990950aeb062692f44e62cae.service
[root@loaclhost ~]# ls
123 guazai
anaconda-ks.cfg lv0
container-455079197ffa485c3efae29ac62b3b0d510dee8c990950aeb062692f44e62cae.service
//显示 podman 系统信息
[root@loaclhost ~]# podman info
host:
arch: amd64
buildahVersion: 1.22.3
cgroupControllers:
- cpuset
- cpu
- cpuacct
- blkio
....省略内容
//初始化一个或多个容器
[root@loaclhost ~]# podman init -l //容器要停止状态,-l是最近的容器
6a41c7cb70c5ee05572bf4728e9a3836e99a05fe8d425de40b162b290cb28b00
//使用特定信号杀死一个或多个正在运行的容器
[root@loaclhost ~]# podman kill -l //容器是运行的状态
6a41c7cb70c5ee05572bf4728e9a3836e99a05fe8d425de40b162b290cb28b00
//取消挂载工作容器的根文件系统
[root@loaclhost ~]# podman unmount web //
web
//挂载工作容器的根文件系统
[root@loaclhost ~]# podman mount web
/var/lib/containers/storage/overlay/accc2a305f31e31d8a699cc285891348daa9b3b1b6aa41fad2fe904f00af3d53/merged
//管理网络
[root@loaclhost ~]# podman network inspect podman
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"bridge": "cni-podman0",
...内容省略
//暂停一个或多个容器中的所有进程
[root@loaclhost ~]# podman pause cranky_allen
6a41c7cb70c5ee05572bf4728e9a3836e99a05fe8d425de40b162b290cb28b00
//列出容器的端口映射或特定映射
[root@loaclhost ~]# podman port web
80/tcp -> 0.0.0.0:1515
//将映像推送到指定目标,推送前需要先登录容器注册表
[root@loaclhost ~]# podman push 15072814090/busybox:v0.1
Getting image source signatures
Copying blob 084326605ab6 [--------------------------------------] 0.0b / 0.0b
Copying config 7a80323521 done
Writing manifest to image destination
Storing signatures
//重命名现有容器名
[root@loaclhost ~]# podman rename web web1
[root@loaclhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
455079197ffa docker.io/library/httpd:latest /bin/sh 4 hours ago Up 3 hours ago 0.0.0.0:1515->80/tcp web1
//重新启动一个或多个容器
[root@loaclhost ~]# podman restart web1
455079197ffa485c3efae29ac62b3b0d510dee8c990950aeb062692f44e62cae
//移除一个或多个容器
[root@loaclhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6a41c7cb70c5 docker.io/library/busybox:latest /bin/sh 22 minutes ago paused cranky_allen
[root@loaclhost ~]# podman rm -f cranky_allen //-f是强制删除
6a41c7cb70c5ee05572bf4728e9a3836e99a05fe8d425de40b162b290cb28b00
[root@loaclhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//从本地存储中删除一个或多个图像
[root@loaclhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest 7a80323521cc 2 weeks ago 1.47 MB
localhost/15072814090/busybox v0.1 7a80323521cc 2 weeks ago 1.47 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
quay.io/centos/centos latest 300e315adb2f 20 months ago 217 MB
[root@loaclhost ~]# podman rmi localhost/15072814090/busybox:v0.1
Untagged: localhost/15072814090/busybox:v0.1
[root@loaclhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest 7a80323521cc 2 weeks ago 1.47 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
quay.io/centos/centos latest 300e315adb2f 20 months ago 217 MB
//创建一个运行的容器
[root@loaclhost ~]# podman run -itd busybox /bin/sh
43d82445221e95a688168231b0da7a1892cceaf0951a73f29b5378b89e0e19ea
[root@loaclhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
43d82445221e docker.io/library/busybox:latest /bin/sh 4 seconds ago Up 4 seconds ago youthful_antonelli
//将镜像保存到存档
[root@loaclhost ~]# podman save -o hwf.tar busybox
Getting image source signatures
Copying blob 084326605ab6 done
Copying config 7a80323521 done
Writing manifest to image destination
Storing signatures
[root@loaclhost ~]# ls
123 anaconda-ks.cfg guazai hwf.tar lv0
//从容器存档加载映像
[root@loaclhost ~]# podman load -i hwf.tar
Getting image source signatures
Copying blob 084326605ab6 done
Copying config 7a80323521 done
Writing manifest to image destination
Storing signatures
Loaded image(s): docker.io/library/busybox:latest
[root@loaclhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest 7a80323521cc 2 weeks ago 1.47 MB
//在注册表中搜索映像
[root@loaclhost ~]# podman search httpd
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/library/httpd The Apache HTTP Server Project 4116 [OK]
docker.io docker.io/clearlinux/httpd httpd HyperText Transfer Protocol (HTTP) ser... 2
docker.io docker.io/centos/httpd-24-centos7 Platform for running Apache httpd 2.4 or bui... 44
docker.io docker.io/manageiq/httpd Container with httpd, built on CentOS for Ma... 1 [OK]
docker.io docker.io/centos/httpd-24-centos8
//管理 podman,显示系统信息
[root@loaclhost ~]# podman system info
host:
arch: amd64
buildahVersion: 1.22.3
cgroupControllers:
- cpuset
- cpu
- cpuacct
- blkio
//向本地镜像添加其他名称
[root@loaclhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest 7a80323521cc 2 weeks ago 1.47 MB
[root@loaclhost ~]# podman tag docker.io/library/busybox:latest docker.io/libaray/busybox:v0.1
[root@loaclhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest 7a80323521cc 2 weeks ago 1.47 MB
docker.io/libaray/busybox v0.1 7a80323521cc 2 weeks ago 1.47 MB
//显示容器的运行进程
[root@loaclhost ~]# podman top web1
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 25m17.094314674s pts/0 0s /bin/sh
//显示 Podman 版本信息
[root@loaclhost ~]# podman version
Version: 3.3.1
API Version: 3.3.1
Go Version: go1.16.7
Built: Wed Nov 10 05:23:56 2021
OS/Arch: linux/amd64
//从本地存储的映像中删除一个或多个名称
[root@loaclhost ~]# podman untag docker.io/libaray/busybox:v0.1
[root@loaclhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
<none> <none> 7a80323521cc 2 weeks ago 1.47 MB
4.podman的基本设置与使用
//运行容器,该服务器仅为其索引页提供服务
[root@loaclhost ~]# podman run -dt -p 8080:8080/tcp -e HTTPD_VAR_RUN=/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \
> -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
> -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
> registry.fedoraproject.org/f29/httpd /usr/bin/run-httpd
Trying to pull registry.fedoraproject.org/f29/httpd:latest...
Getting image source signatures
Copying blob aaf5ad2e1aa3 done
Copying blob 7692efc5f81c done
Copying blob d77ff9f653ce done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
63bfe5481d337f017544906a0dd0a8fe64797ac8c12adf24223dd6a5c4f5df4f
[root@loaclhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
63bfe5481d33 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 21 seconds ago Up 21 seconds ago 0.0.0.0:8080->8080/tcp suspicious_swartz
//检查正在运行的容器,-i是忽略大小写,-l 是最新容器的便利参数
[root@loaclhost ~]# podman inspect -l|grep -i ipaddress
"IPAddress": "10.88.0.16",
"IPAddress": "10.88.0.16",
//测试httpd服务器
[root@loaclhost ~]# curl 10.88.0.16:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
...内容省略
//检查容器日志
[root@loaclhost ~]# podman logs -l
er-generated directory index forbidden by Options directive
10.88.0.1 - - [15/Aug/2022:11:11:44 +0000] "GET / HTTP/1.1" 403 4650 "-" "curl/7.61.1"
[Mon Aug 15 11:11:55.778172 2022] [autoindex:error] [pid 28:tid 139975920113408] [client 10.88.0.1:58344] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
10.88.0.1 - - [15/Aug/2022:11:11:55 +0000] "GET / HTTP/1.1" 403 4650 "-" "curl/7.61.1"
...内容省略
//检查容器pid
[root@loaclhost ~]# podman top 63bfe5481d33
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
default 1 0 0.000 7m28.315734173s pts/0 0s httpd -D FOREGROUND
default 23 1 0.000 7m28.315882304s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 24 1 0.000 7m28.31591758s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 25 1 0.000 7m28.315968716s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 26 1 0.000 7m28.316001977s pts/0 0s /usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat
default 27 1 0.000 7m28.316030253s pts/0 0s httpd -D FOREGROUND
//对容器执行检查点操作,会停止容器,将容器的状态写入磁盘,类似虚拟机快照功能
[root@loaclhost ~]# podman container checkpoint 63bfe5481d33
63bfe5481d337f017544906a0dd0a8fe64797ac8c12adf24223dd6a5c4f5df4f
[root@loaclhost ~]# curl 10.88.0.16:8080 //访问失败
//还原容器,类似虚拟机恢复快照功能
[root@loaclhost ~]# podman container restore 63bfe5481d33
63bfe5481d337f017544906a0dd0a8fe64797ac8c12adf24223dd6a5c4f5df4f
[root@loaclhost ~]# curl 10.88.0.16:8080 //可以访问成功
//迁移容器
要将容器从一个主机实时迁移到另一个主机,容器将在迁移的源系统上执行检查点操作,传输到目标系统,然后在目标系统上还原。传输检查点时,可以指定输出文件。
[root@loaclhost ~]# podman container checkpoint suspicious_swartz -e /tmp/checkpoint.tar.gz
63bfe5481d337f017544906a0dd0a8fe64797ac8c12adf24223dd6a5c4f5df4f
//将本机的容器删除,模拟远程传输
[root@loaclhost ~]# podman rm -f suspicious_swartz
63bfe5481d337f017544906a0dd0a8fe64797ac8c12adf24223dd6a5c4f5df4f
[root@loaclhost ~]# podman container restore -i /tmp/checkpoint.tar.gz
63bfe5481d337f017544906a0dd0a8fe64797ac8c12adf24223dd6a5c4f5df4f
[root@loaclhost ~]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
63bfe5481d33 registry.fedoraproject.org/f29/httpd:latest /usr/bin/run-http... 7 seconds ago Up 7 seconds ago 0.0.0.0:8080->8080/tcp suspicious_swartz
//测试访问,访问成功
[root@loaclhost ~]# curl 10.88.0.16:8080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test Page for the Apache HTTP Server on Fedora</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
/*<![CDATA[*/
body {
background-color: #fff;
color: #000;
...内容省略
5.podman的签名和分发容器镜像
//运行一个容器注册表
[root@loaclhost ~]# podman run -d -p 5000:5000 docker.io/registry
Trying to pull docker.io/library/registry:latest...
Getting image source signatures
Copying blob 3790aef225b9 done
Copying blob e2ead8259a04 done
Copying blob 0d96da54f60b done
Copying blob 79e9f2f55bf5 done
Copying blob 5b27040df4a2 done
Copying config b8604a3fe8 done
Writing manifest to image destination
Storing signatures
918ba79c7ddf5ac9aca579cfa1d45e94567d210e2caaa20e0ce9e3d44826e1f2
[root@loaclhost ~]# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
918ba79c7ddf docker.io/library/registry:latest /etc/docker/regis... 5 seconds ago Up 4 seconds ago 0.0.0.0:5000->5000/tcp gracious_wu
//拉取一个镜像
[root@loaclhost ~]# podman pull docker://docker.io/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 59bf1c3509f3 done
Copying config c059bfaa84 done
Writing manifest to image destination
Storing signatures
c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
[root@loaclhost ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox v0.1 7a80323521cc 2 weeks ago 1.47 MB
docker.io/library/httpd latest dabbfbe0c57b 7 months ago 148 MB
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
docker.io/library/registry latest b8604a3fe854 9 months ago 26.8 MB
//修改标签将他指定本地注册表
[root@loaclhost ~]# podman tag alpine localhost:5000/alpine
[root@loaclhost ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
localhost:5000/alpine latest c059bfaa849c 8 months ago 5.87 MB
//Podman现在能够推送图像并在一个命令中签名。但是要让它工作,我们必须修改系统范围的注册表配置
[root@loaclhost ~]# vim /etc/containers/registries.d/default.yaml
default-docker:
# sigstore: file:///var/lib/containers/sigstore
sigstore-staging: file:///var/lib/containers/sigstore
sigstore: http://localhost:8000 //添加此行
//生成key
[root@loaclhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: 123@123.com
Name may not start with a digit
Real name: hwf@123.com
Email address: hwf@123.com
Comment: sbsb
You selected this USER-ID:
"hwf@123.com (sbsb) <hwf@123.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key A8B7042981771F47 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/13777B44876BA969F588FB77A8B7042981771F47.rev'
public and secret key created and signed.
pub rsa2048 2022-08-15 [SC]
13777B44876BA969F588FB77A8B7042981771F47
uid hwf@123.com (sbsb) <hwf@123.com>
sub rsa2048 2022-08-15 [E]
//推送镜像给镜像签名
[root@loaclhost ~]# podman push --tls-verify=false --sign-by hwf@123.com localhost:5000/alpine
Getting image source signatures
Copying blob 8d3ac3489996 done
Copying config c059bfaa84 [======================================] 1.4KiB / 1.4KiB
Writing manifest to image destination
Signing manifest
Storing signatures
//查看系统签名存储
[root@loaclhost ~]# ls /var/lib/containers/sigstore/
'alpine@sha256=964248be4bb8e3052c8b411271126f70c5c5015df31e014bfc41fad50edf78d8'
//安装python38启用一个监听的web服务器
[root@loaclhost ~]# dnf module install python38
[root@loaclhost ~]# cd /var/lib/containers/sigstore/
[root@loaclhost sigstore]# ls
'alpine@sha256=964248be4bb8e3052c8b411271126f70c5c5015df31e014bfc41fad50edf78d8'
[root@loaclhost sigstore]# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
[root@loaclhost ~]# ss -anlt //8000端口以开启
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 5 0.0.0.0:8000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
//放行防火墙进行访问测试
[root@loaclhost ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.159.0/24 port port=8000 protocol=tcp accept' --permanent
success
[root@loaclhost ~]# firewall-cmd --reload
success
[root@loaclhost ~]# file /var/lib/containers/sigstore/alpine@sha256\=964248be4bb8e3052c8b411271126f70c5c5015df31e014bfc41fad50edf78d8/signature-1
/var/lib/containers/sigstore/alpine@sha256=964248be4bb8e3052c8b411271126f70c5c5015df31e014bfc41fad50edf78d8/signature-1: data
//删除镜像测试
[root@loaclhost ~]# podman rmi docker.io/alpine localhost:5000/alpine
Untagged: docker.io/library/alpine:latest
Untagged: localhost:5000/alpine:latest
Deleted: c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18
//编写策略来强制签名必须有效
[root@loaclhost ~]# cd /etc/containers/
[root@loaclhost containers]# ls
certs.d oci policy.json registries.conf registries.conf.d registries.d storage.conf
[root@loaclhost containers]# vim policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker": {
"localhost:5000": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/tmp/key.gpg"
//将gpg密钥放在keypath
[root@loaclhost containers]# gpg --output /tmp/key.gpg --armor --export hwf@123.com
//拉取镜像
[root@loaclhost ~]# podman pull --tls-verify=false localhost:5000/alpine
Trying to pull localhost:5000/alpine:latest...
//已经被访问
192.168.159.1 - - [16/Aug/2022 00:14:47] "GET / HTTP/1.1" 200 -
//将gpg密钥放在keypath
[root@loaclhost containers]# gpg --output /tmp/key.gpg --armor --export hwf@123.com
//拉取镜像
[root@loaclhost ~]# podman pull --tls-verify=false localhost:5000/alpine
Trying to pull localhost:5000/alpine:latest...
//已经被访问
192.168.159.1 - - [16/Aug/2022 00:14:47] "GET / HTTP/1.1" 200 -
//测试访问
本文含有隐藏内容,请 开通VIP 后查看