Podman kasutamine
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
Sissejuhatus
TODO
Tööpõhimõte
- slirp4netns
- slip
- netavark
- uidmap
Ettevalmistamine
Antud juhuks kasutatakse Debian v. 13 operatsioonisüsteemi, siin on olemas
- kernel v. 6.12
- podman v. 5 (mitte v. 4 nagu näiteks Ubuntu 24.04)
podman tarkvara paigaldamiseks
root@ph-minio-01:~# apt-get install podman -d Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: aardvark-dns buildah catatonit conmon containernetworking-plugins containers-storage cpp cpp-14 cpp-14-x86-64-linux-gnu cpp-x86-64-linux-gnu criu crun dirmngr fuse-overlayfs fuse3 gnupg gnupg-l10n gnupg-utils golang-github-containers-common golang-github-containers-image gpg gpg-agent gpg-wks-client gpgconf gpgsm gpgv iptables libassuan9 libcompel1 libcriu2 libgcrypt20 libgpg-error-l10n libgpg-error0 libgpgme11t64 libip4tc2 libip6tc2 libisl23 libksba8 libldap-common libldap2 libmpc3 libmpfr6 libnet1 libnetfilter-conntrack3 libnfnetlink0 libnl-3-200 libnpth0t64 libprotobuf32t64 libsasl2-2 libsasl2-modules libsasl2-modules-db libslirp0 libsubid5 libyajl2 netavark passt pinentry-curses python3-protobuf python3-pycriu slirp4netns uidmap Suggested packages: cpp-doc gcc-14-locales cpp-14-doc libwasmedge0 pinentry-gnome3 tor gpg-wks-server parcimonie xloadimage scdaemon tpm2daemon firewalld rng-tools libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql pinentry-doc docker-compose ...
kus
- paigaldatakse lisaks passt ja slirp4nets, uidmap conman, netavark, criu, crun
# systemctl --user enable --now podman.socket
chatgpt soovitus, 'you might need to increase your "unprivileged ports" or "max user namespaces" in /etc/sysctl.conf'
Võrgukontroll
ps aux | grep -E 'pasta|slirp4netns'
Quadlet kasutamine
kasutaja@ph-minio-01:~$ systemctl --user mask podman-user-wait-network-online.service kasutaja@ph-minio-01:~$ cat .config/containers/systemd/nginx-08.container [Unit] Description=My Nginx Quadlet Service DefaultDependencies=no After=network.target [Container] Image=docker.io/library/nginx:alpine PublishPort=8098:80 ContainerName=nginx-08 [Install] # This tells systemd to start it when you log in WantedBy=default.target kasutaja@ph-minio-01:~$ systemctl --user daemon-reload kasutaja@ph-minio-01:~$ systemctl --user start nginx-08.service
kus
- kuna unit genereeritakse, siis '... enable --now ...' vms ei ole asjakohane (saab veateate)
Tulemusena
kasutaja@ph-minio-01:~$ systemctl --user status nginx-07
● nginx-07.service - My Nginx Quadlet Service - 07
Loaded: loaded (/home/kasutaja/.config/containers/systemd/nginx-07.container; generated)
Active: active (running) since Sun 2026-04-19 20:26:21 EEST; 5min ago
Invocation: 2954482c56c64789a40f697e6d660f2f
Main PID: 4344 (conmon)
Tasks: 5 (limit: 6982)
Memory: 30.9M (peak: 46.6M)
CPU: 94ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/nginx-07.service
├─libpod-payload-448f5affd046e479f93a85fa1870aa1c9b1a9cc3d83b1f782999d464c7f41c70
│ ├─4346 "nginx: master process nginx -g daemon off;"
│ ├─4372 "nginx: worker process"
│ └─4373 "nginx: worker process"
└─runtime
├─4341 /usr/bin/pasta --config-net -t 8097-8097:80-80 --dns-forward 169.254.1.1 -u none -T none -U none --no-map-gw --quiet --netns /run/user/1000/netns/netns-5f134e7f-f63d-6728-4123-10ffea79d4e9 --map-guest-addr 169.254.1.2
└─4344 /usr/bin/conmon --api-version 1 -c 448f5affd046e479f93a85fa1870aa1c9b1a9cc3d83b1f782999d464c7f41c70 -u 448f5affd046e479f93a85fa1870aa1c9b1a9cc3d83b1f782999d464c7f41c70 -r /usr/bin/crun -b /home/kasutaja/.local/share/containers/storage/overlay-containers/448f5affd046e479f93a85fa1870aa1c9b1a9cc3d83b1f782999d464c7f41c70/userdata -p /run/user/1000/containers/overlay-containers/448f5affd046e479f>
Apr 19 20:26:21 ph-minio-01 nginx-07[4324]: 448f5affd046e479f93a85fa1870aa1c9b1a9cc3d83b1f782999d464c7f41c70
Apr 19 20:26:21 ph-minio-01 podman[4324]: 2026-04-19 20:26:21.222328815 +0300 EEST m=+0.015770124 image pull 5bd7bd52e5bcab15a093466b90e37472b0d0c0081052522afb8924cbdaf15f56 docker.io/library/nginx:alpine
Apr 19 20:26:21 ph-minio-01 nginx-07[4344]: 2026/04/19 17:26:21 [notice] 1#1: using the "epoll" event method
Apr 19 20:26:21 ph-minio-01 nginx-07[4344]: 2026/04/19 17:26:21 [notice] 1#1: nginx/1.29.8
Apr 19 20:26:21 ph-minio-01 nginx-07[4344]: 2026/04/19 17:26:21 [notice] 1#1: built by gcc 15.2.0 (Alpine 15.2.0)
Apr 19 20:26:21 ph-minio-01 nginx-07[4344]: 2026/04/19 17:26:21 [notice] 1#1: OS: Linux 6.12.74+deb13+1-amd64
Apr 19 20:26:21 ph-minio-01 nginx-07[4344]: 2026/04/19 17:26:21 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 524288:524288
Apr 19 20:26:21 ph-minio-01 nginx-07[4344]: 2026/04/19 17:26:21 [notice] 1#1: start worker processes
Apr 19 20:26:21 ph-minio-01 nginx-07[4344]: 2026/04/19 17:26:21 [notice] 1#1: start worker process 25
Apr 19 20:26:21 ph-minio-01 nginx-07[4344]: 2026/04/19 17:26:21 [notice] 1#1: start worker process 26
Olukorra küsimine
kasutaja@ph-minio-01:~$ loginctl user-status
kasutaja (1000)
Since: Sun 2026-04-19 18:59:50 EEST; 1h 15min ago
State: active
Sessions: *69 68
Linger: no
Unit: user-1000.slice
├─session-69.scope
│ ├─3556 "sshd-session: kasutaja [priv]"
│ ├─3563 "sshd-session: kasutaja@pts/1"
│ ├─3564 -bash
│ ├─3883 loginctl user-status
│ └─3884 pager
└─user@1000.service
├─app.slice
│ ├─nginx-08.service
│ │ ├─libpod-payload-bc852e3e18307519d4aa9da53a695a32a41de08994596114cbe36b400b47e045
│ │ │ ├─3485 "nginx: master process nginx -g daemon off;"
│ │ │ ├─3537 "nginx: worker process"
│ │ │ └─3538 "nginx: worker process"
│ │ └─runtime
│ │ ├─3464 /usr/bin/pasta --config-net -t 8098-8098:80-80 --dns-forward 169.254.1.1 -u none -T none -U none --no-map-gw --quiet --netns /run/user/1000/netns/netns-91377314-f55f-138d-42af-3d324176cd02 --map-guest-addr >
│ │ └─3480 /usr/bin/conmon --api-version 1 -c bc852e3e18307519d4aa9da53a695a32a41de08994596114cbe36b400b47e045 -u bc852e3e18307519d4aa9da53a695a32a41de08994596114cbe36b400b47e045 -r /usr/bin/crun -b /home/kasutaja/.lo>
│ └─nginx-09.service
│ ├─libpod-payload-a390c5429a53870b2175d1869d0e5aab0c990e9f8cb511b3cac04582b346c35a
│ │ ├─3484 "nginx: master process nginx -g daemon off;"
│ │ ├─3511 "nginx: worker process"
│ │ └─3512 "nginx: worker process"
│ └─runtime
│ ├─3476 /usr/bin/pasta --config-net -t 8099-8099:80-80 --dns-forward 169.254.1.1 -u none -T none -U none --no-map-gw --quiet --netns /run/user/1000/netns/netns-ec2cfa9a-6c8b-0edf-24a2-be75c53feb34 --map-guest-addr >
│ └─3481 /usr/bin/conmon --api-version 1 -c a390c5429a53870b2175d1869d0e5aab0c990e9f8cb511b3cac04582b346c35a -u a390c5429a53870b2175d1869d0e5aab0c990e9f8cb511b3cac04582b346c35a -r /usr/bin/crun -b /home/kasutaja/.lo>
├─init.scope
│ ├─3376 /usr/lib/systemd/systemd --user
│ └─3378 "(sd-pam)"
├─session.slice
│ └─dbus.service
│ └─3536 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
└─user.slice
└─podman-pause-407bd36c.scope
└─3427 catatonit -P
Misc
TODO
podhost podide vaheline võrk
Vaikimisi töötavad podhost peal pod'id nii, et iga pod sisse nö peegeldatakse host'i enda võrguliides, st pod arvab, et ta on host. Ja kui nüüd pod pöördub mõne teise pod poole, siis ta ei saa kuna tema võrguliiklus takerdub. Sellest olukorrast saab üle järgnevalt kirjeldatud asjakorraldusega
- pod sisse moodustatakse eraldi 10.x.x.x aadressiga võrguliidesed
- kõigi asjasse puutuvate pod'ide võrguliidesed asuvad ühe nö switchi küljes
- podhost peal toimetab nn rootlessport nimeline protsess
- kuidagi protsessi sisemiselt teisendatakse internetist saabunud paketid nendeks privaatsete aadressidega pakettideks
Ühe pod systemd unit seadistus
kasutaja@ns-pdns-01:~$ cat .config/containers/systemd/pdns-01.container [Unit] Description=My PDNS Quadlet Service DefaultDependencies=no After=network.target [Container] Image=docker.io/powerdns/pdns-auth-49:latest PublishPort=8081:8081/tcp PublishPort=1053:8053/tcp PublishPort=1053:8053/udp ContainerName=pdns-01 Volume=%h/volume/pdns/etc/powerdns/pdns.conf:/etc/powerdns/pdns.conf:ro # Environment=PDNS_local_port=8053 Network=dns-net.network [Install] # This tells systemd to start it when you log in WantedBy=default.target
teise systemd unit seadistus
kasutaja@ns-pdns-01:~$ cat .config/containers/systemd/nginx-01.container [Unit] Description=My Nginx Quadlet Service - 01 DefaultDependencies=no After=network.target [Container] Image=docker.io/library/nginx:alpine PublishPort=8091:80 ContainerName=nginx-01 Volume=%h/volume/nginx/etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro Network=dns-net.network [Install] # This tells systemd to start it when you log in WantedBy=default.target
võrgu unit seadistus
kasutaja@ns-pdns-01:~$ cat .config/containers/systemd/dns-net.network [Network] NetworkName=dns-net Options=dns
Tulemusena tekivad podhost peale sellised protsessid
root@ns-pdns-01:~# netstat -lnpt | grep rootle tcp6 0 0 :::8081 :::* LISTEN 63597/rootlessport tcp6 0 0 :::8091 :::* LISTEN 63627/rootlessport tcp6 0 0 :::1053 :::* LISTEN 63597/rootlessport
kusjuures nad on erinevad namespace'id
root@ns-pdns-01:~# lsns -T | grep rootlessport │ ├─4026532532 net 4 63597 kasutaja rootlessport │ ├─4026532647 net 5 63627 kasutaja rootlessport
ning nende sees on sellised võrguliidesed
root@ns-pdns-01:~# nsenter -t 63597 -n ip addr show dev eth0
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc noqueue state UP group default qlen 1000
link/ether ce:90:e6:c1:2e:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.89.0.5/24 brd 10.89.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::cc90:e6ff:fec1:2e42/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
root@ns-pdns-01:~# nsenter -t 63627 -n ip addr show dev eth0
2: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc noqueue state UP group default qlen 1000
link/ether 7e:9d:11:fa:3b:24 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.89.0.6/24 brd 10.89.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::7c9d:11ff:fefa:3b24/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
ja arp tabelid
root@ns-pdns-01:~# nsenter -t 63597 -n arp -an ? (10.89.0.6) at 7e:9d:11:fa:3b:24 [ether] on eth0 ? (10.89.0.1) at 9a:1f:56:3d:e4:d6 [ether] on eth0 root@ns-pdns-01:~# nsenter -t 63627 -n arp -an ? (10.89.0.1) at 9a:1f:56:3d:e4:d6 [ether] on eth0 ? (10.89.0.5) at ce:90:e6:c1:2e:42 [ether] on eth0
ja nt pod'i sisse minnes võrk töötab teise pod'iga
kasutaja@ns-pdns-01:~$ podman exec -ti nginx-01 ping -c 2 pdns-01 PING pdns-01 (10.89.0.5): 56 data bytes 64 bytes from 10.89.0.5: seq=0 ttl=42 time=0.020 ms 64 bytes from 10.89.0.5: seq=1 ttl=42 time=0.064 ms --- pdns-01 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.020/0.042/0.064 ms
kusjuures huvitav, et interneti ei saa pingida (see on passt võrgunduse eripära)
kasutaja@ns-pdns-01:~$ podman exec -ti nginx-01 ping -c 2 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes ^C --- 8.8.8.8 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss
Kasulikud lisamaterjalid
- https://passt.top/
- youtube 'Getting started with Podman' by SRKMasterStack
- 'Podman for DevOps - Second Edition' - Alessandro Arrichiello, Gianni Salinetti
- https://www.hackerstack.org/understanding-linux-namespaces/
