较新的工具链为podman跑容器,buildah构建镜像,skopeo传输管理镜像。
podman是一个容器引擎,某些方面上对docker进行了改进并可替代其一部分功能,本篇博客基本上是抄了一遍官网安装步骤,列举了遇到的几个坑,想用podman搭一个k3s但是失败了。
podman官网为podman.io
podman官网
可见其自我介绍
Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System. Containers can either be run as root or in rootless mode. Simply put:
alias docker=podman.
相比于docker,podman没有守护进程,大部分命令无需root,且podman的命令兼容docker的。
安装过程
参考官网安装说明即可。我用的是ubuntu 19.04,关键步骤如下:
sudo apt-get update -qq
sudo apt-get install -qq -y software-properties-common uidmap
sudo add-apt-repository -y ppa:projectatomic/ppa
sudo apt-get update -qq
sudo apt-get -qq -y install podman
其他发行版看对应段落即可
可简单测试一下
$ podman -v
podman version 1.6.2
$ podman info
host:
BuildahVersion: 1.11.3
CgroupVersion: v1
Conmon:
package: 'conmon: /usr/libexec/podman/conmon'
path: /usr/libexec/podman/conmon
version: 'conmon version 2.0.2, commit: unknown'
Distribution:
distribution: ubuntu
version: "19.04"
IDMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
MemFree: 398770176
MemTotal: 3991453696
OCIRuntime:
name: runc
package: 'cri-o-runc: /usr/lib/cri-o-runc/sbin/runc'
path: /usr/lib/cri-o-runc/sbin/runc
version: 'runc version spec: 1.0.1-dev'
SwapFree: 8190685184
SwapTotal: 8191471616
arch: amd64
cpus: 4
eventlogger: journald
hostname: dk-Aspire-5943G
kernel: 5.0.0-32-generic
os: linux
rootless: true
slirp4netns:
Executable: /usr/bin/slirp4netns
Package: 'slirp4netns: /usr/bin/slirp4netns'
Version: |-
slirp4netns version 0.4.2
commit: unknown
uptime: 3h 11m 43.34s (Approximately 0.12 days)
registries:
blocked: null
insecure: null
search: null
store:
ConfigFile: /home/dk/.config/containers/storage.conf
ContainerStore:
number: 0
GraphDriverName: vfs
GraphOptions: {}
GraphRoot: /home/dk/.local/share/containers/storage
GraphStatus: {}
ImageStore:
number: 0
RunRoot: /run/user/1000
VolumePath: /home/dk/.local/share/containers/storage/volumes
$ podman --help
manage pods and images
Usage:
podman [flags]
podman [command]
Available Commands:
attach Attach to a running container
build Build an image using instructions from Containerfiles
commit Create new image based on the changed container
container Manage Containers
cp Copy files/folders between a container and the local filesystem
create Create but do not start a container
diff Inspect changes on container's file systems
events Show podman events
exec Run a process in a running container
export Export container's filesystem contents as a tar archive
generate Generated structured data
healthcheck Manage Healthcheck
help Help about any command
history Show history of a specified image
image Manage images
images List images in local storage
import Import a tarball to create a filesystem image
info Display podman system information
init Initialize one or more containers
inspect Display the configuration of a container or image
kill Kill one or more running containers with a specific signal
load Load an image from container archive
login Login to a container registry
logout Logout of a container registry
logs Fetch the logs of a container
mount Mount a working container's root filesystem
network Manage Networks
pause Pause all the processes in one or more containers
play Play a pod
pod Manage pods
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image from a registry
push Push an image to a specified destination
restart Restart one or more containers
rm Remove one or more containers
rmi Removes one or more images from local storage
run Run a command in a new container
save Save image to an archive
search Search registry for image
start Start one or more containers
stats Display a live stream of container resource usage statistics
stop Stop one or more containers
system Manage podman
tag Add an additional name to a local image
top Display the running processes of a container
umount Unmounts working container's root filesystem
unpause Unpause the processes in one or more containers
unshare Run a command in a modified user namespace
varlink Run varlink interface
version Display the Podman Version Information
volume Manage volumes
wait Block on one or more containers
Flags:
--cgroup-manager string Cgroup manager is not supported in rootless mode
--cni-config-dir string Path of the configuration directory for CNI networks
--config string Path of a libpod config file detailing container server configuration options
--conmon string Path of the conmon binary
--cpu-profile string Path for the cpu profiling results
--events-backend string Events backend to use
--help Help for podman
--hooks-dir strings Set the OCI hooks directory path (may be set multiple times)
--log-level string Log messages above specified level: debug, info, warn, error, fatal or panic (default "error")
--namespace string Set the libpod namespace, used to create separate views of the containers and pods on the system
--network-cmd-path string Path to the command for configuring the network
--root string Path to the root directory in which data, including images, is stored
--runroot string Path to the 'run directory' where all state information is stored
--runtime string Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc
--storage-driver string Select which storage driver is used to manage storage of images and containers (default is overlay)
--storage-opt stringArray Used to pass an option to the storage driver
--syslog Output logging information to syslog as well as the console
--tmpdir string Path to the tmp directory
--trace Enable opentracing output
-v, --version Version of podman
Use "podman [command] --help" for more information about a command.
由于podman的命令完全兼容docker的,可以设置别名:
$ alias docker=podman
$ alias
alias docker='podman'
(略)
效果为使用docker命令实际上用的是podman
配置registry
未见到podman像docker一样配置registry-mirrors,而是有两个配置文件/etc/containers/registries.d/default.yaml和~/.config/containers/registries.conf。
似乎有效的方式为在配置中加入如下内容:
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix = "docker.io"
location = "uyah70su.mirror.aliyuncs.com"
踩坑
linux版本
截止2019年11月3日,ubuntu 19.10通过apt-get install安装podman还是失败,因为podman的repo中还没有对ubuntu 19.10 Eoan Ermine的支持
取消alias
使用unalias命令
$ unalias docker
$ alias
(略,列出所有别名,可见已无docker)
用podman组建k3s
无论是否有alias docker=podman都会失败,通过journalctl查看k3s日志:
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.672574217+08:00" level=info msg="Starting /v1, Kind=Node controller"
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.688252 17941 controller.go:606] quota admission added evaluator for: helmcharts.helm.cattle.i
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.759228465+08:00" level=info msg="module br_netfilter was already loaded"
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.759377842+08:00" level=info msg="module overlay was already loaded"
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.759416652+08:00" level=info msg="module nf_conntrack was already loaded"
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.775672300+08:00" level=info msg="Connecting to proxy" url="wss://192.168.3.4:6443/v1
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.780820880+08:00" level=info msg="Handling backend connection request [dk-aspire-5943
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.787235575+08:00" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: W1103 21:21:46.796500 17941 server.go:208] WARNING: all flags other than --config, --write-config-to, and --
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.804874817+08:00" level=info msg="waiting for node dk-aspire-5943g: nodes \"dk-aspire
11月 03 21:21:46 dk-Aspire-5943G systemd[1]: Started Kubernetes systemd probe.
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.818296 17941 server.go:406] Version: v1.16.2-k3s.1
11月 03 21:21:46 dk-Aspire-5943G systemd[1]: run-r4dcf5ad5acdb40369bbf93c377580560.scope: Succeeded.
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: E1103 21:21:46.854039 17941 node.go:124] Failed to retrieve node info: nodes "dk-aspire-5943g" not found
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866160 17941 server.go:637] --cgroups-per-qos enabled, but --cgroup-root was not specified.
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866738 17941 container_manager_linux.go:272] container manager verified user specified cgroup
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866765 17941 container_manager_linux.go:277] Creating Container Manager object based on Node
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866910 17941 fake_topology_manager.go:29] [fake topologymanager] NewFakeManager
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866924 17941 container_manager_linux.go:312] Creating device plugin manager: true
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866956 17941 fake_topology_manager.go:39] [fake topologymanager] AddHintProvider HintProvider
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.867011 17941 state_mem.go:36] [cpumanager] initializing new in-memory state store
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.867156 17941 state_mem.go:84] [cpumanager] updated default cpuset: ""
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.867179 17941 state_mem.go:92] [cpumanager] updated cpuset assignments: "map[]"
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.867200 17941 fake_topology_manager.go:39] [fake topologymanager] AddHintProvider HintProvider
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.867475 17941 kubelet.go:312] Watching apiserver
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.871762 17941 client.go:75] Connecting to docker on unix:///var/run/docker.sock
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.872291 17941 client.go:104] Start docker client with request timeout=2m0s
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: F1103 21:21:46.872989 17941 server.go:267] failed to run Kubelet: failed to create kubelet: failed to get do
其中可见Connecting to docker on unix:///var/run/docker.sock,是通过sock而不是docker命令操作docker的
