目次
文書の過去の版を表示しています。
Podman - ローカル環境からコンテナと Kubernetes をシームレスに操作
podman-logo-full-vert.png
ロゴはSelkie(セルキー)というアイルランドの妖精🧚 (アザラシやもぐらではない Podman in Action の記載より🤔)
公式: Podman 翻訳
ソースコード: containers/podman: Podman: A tool for managing OCI containers and pods. 翻訳
ドキュメント:What is Podman? — Podman documentation 翻訳
SDK ドキュメント: Podman: Python scripting for Podman services — Podman Python SDK documentation 翻訳
インストール
Podman Desktop
https://podman-desktop.io/downloads に従って Flathub - Linuxのアプリストア からインストールする🤔
$ flatpak install flathub io.podman_desktop.PodmanDesktop
Looking for matches…
Required runtime for io.podman_desktop.PodmanDesktop/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/23.08) found in remote flathub
Do you want to install it? [Y/n]:
io.podman_desktop.PodmanDesktop permissions:
ipc network x11 dri file access [1]
dbus access [2]
[1] /run/docker.sock, home, xdg-run/podman:create
[2] org.freedesktop.Flatpak, org.freedesktop.Notifications, org.kde.StatusNotifierWatcher
ID Branch Op Remote Download
1. [✓] org.freedesktop.Platform.GL.default 23.08 i flathub 162.0 MB / 162.3 MB
2. [✓] org.freedesktop.Platform.GL.default 23.08-extra i flathub 17.9 MB / 162.3 MB
3. [✓] org.freedesktop.Platform.GL.nvidia-390-157 1.4 i flathub 50.9 MB / 51.0 MB
4. [✓] org.freedesktop.Platform.Locale 23.08 i flathub 1.8 MB / 359.9 MB
5. [✓] org.freedesktop.Platform.openh264 2.2.0 i flathub 886.7 kB / 944.3 kB
6. [✓] org.freedesktop.Platform 23.08 i flathub 175.9 MB / 225.6 MB
7. [✓] io.podman_desktop.PodmanDesktop stable i flathub 117.6 MB / 121.2 MB
Installation complete.
使い方
コンテナビルド [build]
ディレクトリを作成して Containerfile を作成する🤔
$ mkdir haruo_podman && cd haruo_podman $ nano Containerfile
FROM docker.io/amd64/fedora:39 RUN dnf update -y \ && dnf install -y git glibc-locale-source glibc-langpack-ja figlet lolcat neofetch \ && dnf clean all \ && rm -rf /var/cache/dnf # cowsay figlet toilet lolcat neofetch ENV LC_ALL=ja_JP.UTF-8 LANG=ja_JP.UTF-8 LANGUAGE=ja_JP.UTF-8 TZ=Asia/Tokyo RUN localedef --force -i ja_JP -f UTF-8 ja_JP.UTF-8 \ && ln -snf /usr/share/zoneinfo/$TZ /etc/localtime \ && echo $TZ > /etc/timezone RUN git clone --depth 1 https://github.com/xero/figlet-fonts.git ADD ./message /message CMD cat /message | figlet -f "Bloody" -d "/figlet-fonts" -w 120 | lolcat \ && neofetch | lolcat \ && date | lolcat
$ podman build --tag haruo_podman:0.01 .
STEP 1/7: FROM docker.io/amd64/fedora:39 STEP 2/7: RUN dnf update -y && dnf install -y git glibc-locale-source glibc-langpack-ja figlet lolcat neofetch && dnf clean all && rm -rf /var/cache/dnf --> Using cache 0582e7482917057ba25529c76700b16e6b4033eae28cc14598dfc5c8aa546ccb --> 0582e7482917 STEP 3/7: ENV LC_ALL=ja_JP.UTF-8 LANG=ja_JP.UTF-8 LANGUAGE=ja_JP.UTF-8 TZ=Asia/Tokyo --> Using cache ac397cb9000b5d7e3f28f459c43369a115b7ed115a948910dfa67f0ea152b564 --> ac397cb9000b STEP 4/7: RUN localedef --force -i ja_JP -f UTF-8 ja_JP.UTF-8 && ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone --> Using cache e56852a784d2252ebf800607416783d39afa7deb70bb34e76b0c831a9e91855e --> e56852a784d2 STEP 5/7: RUN git clone --depth 1 https://github.com/xero/figlet-fonts.git --> Using cache c026b16eff7a1306d36ec14dd04b2c1541adc7a90b150162408a59f165325cd7 --> c026b16eff7a STEP 6/7: ADD ./message /message --> d449a8b2e3ab STEP 7/7: CMD cat /message | figlet -f "Bloody" -d "/figlet-fonts" -w 120 | lolcat && neofetch | lolcat && date | lolcat COMMIT haruo_podman:0.01 --> e3c0de9873d2 Successfully tagged localhost/haruo_podman:0.01 e3c0de9873d25922f5529ecfcbdd10c024d95ea099a520b03aaf8c98f6c953a8
コンテナ実行 [run]
$ podman run --rm -ti haruo_podman:0.01
██░ ██ ▄▄▄ ██▀███ █ ██ ▒█████ ██▓███ ▒█████ ▓█████▄ ███▄ ▄███▓ ▄▄▄ ███▄ █ ▓██░ ██▒▒████▄ ▓██ ▒ ██▒ ██ ▓██▒▒██▒ ██▒ ▓██░ ██▒▒██▒ ██▒▒██▀ ██▌▓██▒▀█▀ ██▒▒████▄ ██ ▀█ █ ▒██▀▀██░▒██ ▀█▄ ▓██ ░▄█ ▒▓██ ▒██░▒██░ ██▒ ▓██░ ██▓▒▒██░ ██▒░██ █▌▓██ ▓██░▒██ ▀█▄ ▓██ ▀█ ██▒ ░▓█ ░██ ░██▄▄▄▄██ ▒██▀▀█▄ ▓▓█ ░██░▒██ ██░ ▒██▄█▓▒ ▒▒██ ██░░▓█▄ ▌▒██ ▒██ ░██▄▄▄▄██ ▓██▒ ▐▌██▒ ░▓█▒░██▓ ▓█ ▓██▒░██▓ ▒██▒▒▒█████▓ ░ ████▓▒░ ▒██▒ ░ ░░ ████▓▒░░▒████▓ ▒██▒ ░██▒ ▓█ ▓██▒▒██░ ▓██░ ▒ ░░▒░▒ ▒▒ ▓▒█░░ ▒▓ ░▒▓░░▒▓▒ ▒ ▒ ░ ▒░▒░▒░ ▒▓▒░ ░ ░░ ▒░▒░▒░ ▒▒▓ ▒ ░ ▒░ ░ ░ ▒▒ ▓▒█░░ ▒░ ▒ ▒ ▒ ░▒░ ░ ▒ ▒▒ ░ ░▒ ░ ▒░░░▒░ ░ ░ ░ ▒ ▒░ ░▒ ░ ░ ▒ ▒░ ░ ▒ ▒ ░ ░ ░ ▒ ▒▒ ░░ ░░ ░ ▒░ ░ ░░ ░ ░ ▒ ░░ ░ ░░░ ░ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ .',;::::;,'. root@504affc53525 .';:cccccccccccc:;,. ----------------- .;cccccccccccccccccccccc;. OS: Fedora Linux 39 (Container Image) x86_64 .:cccccccccccccccccccccccccc:. Host: W25AEZ .;ccccccccccccc;.:dddl:.;ccccccc;. Kernel: 6.7.4-200.fc39.x86_64 .:ccccccccccccc;OWMKOOXMWd;ccccccc:. Uptime: 5 days, 9 hours, 36 mins .:ccccccccccccc;KMMc;cc;xMMc:ccccccc:. Packages: 388 (rpm) ,cccccccccccccc;MMM.;cc;;WW::cccccccc, Shell: bash 5.2.26 :cccccccccccccc;MMM.;cccccccccccccccc: Resolution: 1366x768 :ccccccc;oxOOOo;MMM0OOk.;cccccccccccc: CPU: Intel i3-3120M (4) @ 2.500GHz cccccc:0MMKxdd:;MMMkddc.;cccccccccccc; GPU: Intel 3rd Gen Core processor Graphics Controller ccccc:XM0';cccc;MMM.;cccccccccccccccc' Memory: 7120MiB / 15881MiB ccccc;MMo;ccccc;MMW.;ccccccccccccccc; ccccc;0MNc.ccc.xMMd:ccccccccccccccc; cccccc;dNMWXXXWM0::cccccccccccccc:, cccccccc;.:odl:.;cccccccccccccc:,. :cccccccccccccccccccccccccccc:'. .:cccccccccccccccccccccc:;,.. '::cccccccccccccc::;,. 2024年 2月 20日 火曜日 23:35:54 JST
podman compose
公式: podman-compose — Podman documentation
podman-system-service — Podman documentation
$ podman compose version
>>>> Executing external compose provider "/usr/libexec/docker/cli-plugins/docker-compose". Please refer to the documentation for details. <<<< Docker Compose version v2.24.7
$ rpm -ql docker-compose-plugin
/usr/libexec/docker/cli-plugins/docker-compose /usr/share/doc/docker-compose-plugin /usr/share/doc/docker-compose-plugin/LICENSE /usr/share/doc/docker-compose-plugin/MAINTAINERS /usr/share/doc/docker-compose-plugin/NOTICE /usr/share/doc/docker-compose-plugin/README.md /usr/share/licenses/docker-compose-plugin /usr/share/licenses/docker-compose-plugin/LICENSE /usr/share/licenses/docker-compose-plugin/NOTICE
$ systemctl --user start podman.socket $ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
$ git clone --depth 1 https://github.com/litespeedtech/ols-docker-env.git && cd ols-docker-env
Cloning into 'ols-docker-env'... remote: Enumerating objects: 39, done. remote: Counting objects: 100% (39/39), done. remote: Compressing objects: 100% (28/28), done. remote: Total 39 (delta 3), reused 24 (delta 2), pack-reused 0 Receiving objects: 100% (39/39), 25.07 KiB | 6.27 MiB/s, done. Resolving deltas: 100% (3/3), done.
$ cat .env
TimeZone=America/New_York OLS_VERSION=1.7.19 PHP_VERSION=lsphp81 MYSQL_DATABASE=wordpress MYSQL_ROOT_PASSWORD=password MYSQL_USER=wordpress MYSQL_PASSWORD=password DOMAIN=localhost
$ TimeZone=Asia/Tokyo podman compose up
>>>> Executing external compose provider "/usr/libexec/docker/cli-plugins/docker-compose". Please refer to the documentation for details. <<<< [+] Running 4/0 ✔ Container ols-docker-env-phpmyadmin-1 Created 0.0s ✔ Container ols-docker-env-mysql-1 Created 0.0s ✔ Container ols-docker-env-redis-1 Created 0.0s ✔ Container litespeed Created 0.0s Attaching to litespeed, mysql-1, phpmyadmin-1, redis-1 mysql-1 | 2024-03-12 05:45:20+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 1:10.5.9+maria~focal started. phpmyadmin-1 | phpmyadmin 05:45:20.32 phpmyadmin-1 | phpmyadmin 05:45:20.33 Welcome to the Bitnami phpmyadmin container phpmyadmin-1 | phpmyadmin 05:45:20.33 Subscribe to project updates by watching https://github.com/bitnami/containers phpmyadmin-1 | phpmyadmin 05:45:20.34 Submit issues and feature requests at https://github.com/bitnami/containers/issues redis-1 | 1:C 12 Mar 2024 05:45:20.343 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect. redis-1 | 1:C 12 Mar 2024 05:45:20.343 * oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo redis-1 | 1:C 12 Mar 2024 05:45:20.343 * Redis version=7.2.4, bits=64, commit=00000000, modified=0, pid=1, just started redis-1 | 1:C 12 Mar 2024 05:45:20.343 # Warning: no config file specified, using the default config. In order to specify a config file use redis-server /path/to/redis.conf redis-1 | 1:M 12 Mar 2024 05:45:20.344 * monotonic clock: POSIX clock_gettime redis-1 | 1:M 12 Mar 2024 05:45:20.345 * Running mode=standalone, port=6379. redis-1 | 1:M 12 Mar 2024 05:45:20.346 * Server initialized redis-1 | 1:M 12 Mar 2024 05:45:20.346 * Loading RDB produced by version 7.2.4 redis-1 | 1:M 12 Mar 2024 05:45:20.346 * RDB age 196 seconds redis-1 | 1:M 12 Mar 2024 05:45:20.346 * RDB memory usage when created 0.83 Mb redis-1 | 1:M 12 Mar 2024 05:45:20.346 * Done loading RDB, keys loaded: 0, keys expired: 0. phpmyadmin-1 | phpmyadmin 05:45:20.34 redis-1 | 1:M 12 Mar 2024 05:45:20.346 * DB loaded from disk: 0.000 seconds redis-1 | 1:M 12 Mar 2024 05:45:20.346 * Ready to accept connections tcp phpmyadmin-1 | phpmyadmin 05:45:20.35 INFO ==> ** Starting phpMyAdmin setup ** litespeed | [OK] litespeed: pid=28. phpmyadmin-1 | realpath: /bitnami/apache/conf: No such file or directory phpmyadmin-1 | phpmyadmin 05:45:20.40 INFO ==> Configuring Apache ServerTokens directive phpmyadmin-1 | phpmyadmin 05:45:20.43 INFO ==> Configuring PHP options phpmyadmin-1 | phpmyadmin 05:45:20.43 INFO ==> Setting PHP expose_php option phpmyadmin-1 | phpmyadmin 05:45:20.48 INFO ==> Configuring phpMyAdmin phpmyadmin-1 | phpmyadmin 05:45:20.49 INFO ==> Setting database host option phpmyadmin-1 | phpmyadmin 05:45:20.50 INFO ==> Setting blowfish_secret option to a randomly generated value phpmyadmin-1 | phpmyadmin 05:45:20.52 INFO ==> Enabling web server application configuration for phpMyAdmin mysql-1 | 2024-03-12 05:45:20+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql' mysql-1 | 2024-03-12 05:45:20+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 1:10.5.9+maria~focal started. phpmyadmin-1 | phpmyadmin 05:45:20.69 INFO ==> ** phpMyAdmin setup finished! ** phpmyadmin-1 | phpmyadmin-1 | phpmyadmin 05:45:20.71 INFO ==> ** Starting Apache ** mysql-1 | 2024-03-12 5:45:20 0 [Note] mysqld (mysqld 10.5.9-MariaDB-1:10.5.9+maria~focal) starting as process 1 ... phpmyadmin-1 | [Tue Mar 12 05:45:20.807617 2024] [ssl:warn] [pid 1] AH01909: www.example.com:8443:0 server certificate does NOT include an ID which matches the server name phpmyadmin-1 | [Tue Mar 12 05:45:20.808342 2024] [ssl:warn] [pid 1] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Uses event mutexes mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Compressed tables use zlib 1.2.11 mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Number of pools: 1 mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions mysql-1 | 2024-03-12 5:45:20 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts) phpmyadmin-1 | [Tue Mar 12 05:45:20.852876 2024] [ssl:warn] [pid 1] AH01909: www.example.com:8443:0 server certificate does NOT include an ID which matches the server name phpmyadmin-1 | [Tue Mar 12 05:45:20.853477 2024] [ssl:warn] [pid 1] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Using Linux native AIO mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728 mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Completed initialization of buffer pool mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority(). phpmyadmin-1 | [Tue Mar 12 05:45:20.874941 2024] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.54 (Unix) OpenSSL/1.1.1n configured -- resuming normal operations phpmyadmin-1 | [Tue Mar 12 05:45:20.874979 2024] [core:notice] [pid 1] AH00094: Command line: '/opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -D FOREGROUND' mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: 128 rollback segments are active. mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Creating shared tablespace for temporary tables mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ... mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB. mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: 10.5.9 started; log sequence number 45154; transaction id 20 mysql-1 | 2024-03-12 5:45:20 0 [Note] Plugin 'FEEDBACK' is disabled. mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool mysql-1 | 2024-03-12 5:45:20 0 [Note] InnoDB: Buffer pool(s) load completed at 240312 5:45:20 mysql-1 | 2024-03-12 5:45:20 0 [Note] Server socket created on IP: '::'. mysql-1 | 2024-03-12 5:45:20 0 [Warning] 'proxies_priv' entry '@% root@194f3618de4f' ignored in --skip-name-resolve mode. mysql-1 | 2024-03-12 5:45:20 0 [Note] Reading of all Master_info entries succeeded mysql-1 | 2024-03-12 5:45:20 0 [Note] Added new Master_info '' to hash table mysql-1 | 2024-03-12 5:45:20 0 [Note] mysqld: ready for connections. mysql-1 | Version: '10.5.9-MariaDB-1:10.5.9+maria~focal' socket: '/run/mysqld/mysqld.sock' port: 3306 mariadb.org binary distribution
その他
技術情報
コンテナ レジストリ
$ podman info -f {{.Registries}}
map[search:[registry.fedoraproject.org registry.access.redhat.com docker.io quay.io]]
Buildah を使ってより無駄のない小さなコンテナを作る🤔
Getting started with Buildah | Opensource.com 翻訳 より
Buildah is a lightweight and flexible way to create container images without running a full Docker daemon on your host. In addition to offering out-of-the-box support for building from Dockerfiles, Buildah is easy to use with scripts or build tools of your choice and can help build container images using existing tools on the build host. The result is leaner images that use less bandwidth to ship around, require less storage space, and have a smaller surface area for potential attackers.
Buildah は、ホスト上で完全な Docker デーモンを実行せずにコンテナイメージを作成する軽量かつ柔軟な方法です。 Buildah は、Dockerfile からビルドするためのすぐに使用できるサポートを提供することに加えて、選択したスクリプトやビルドツールで簡単に使用でき、ビルドホスト上の既存のツールを使用してコンテナイメージをビルドするのに役立ちます。 その結果、配布に使用する帯域幅が減り、必要なストレージ容量が減り、潜在的な攻撃者が侵入する表面積が小さくなる、より無駄のないイメージが得られます。
Buildah、Skopeo のインストール🤔
$ sudo dnf install -y buildah skopeo
Fedora 39 - x86_64 - Updates 4.4 kB/s | 6.1 kB 00:01 Fedora 39 - x86_64 - Updates 366 kB/s | 3.6 MB 00:10 メタデータの期限切れの最終確認: 0:00:20 前の 2024年02月22日 08時22分18秒 に実施しました。 パッケージ skopeo-1:1.14.0-1.fc39.x86_64 は既にインストールされています。 依存関係が解決しました。 ============================================================================================================== パッケージ アーキテクチャー バージョン リポジトリー サイズ ============================================================================================================== インストール: buildah x86_64 1.34.0-1.fc39 updates 9.3 M トランザクションの概要 ============================================================================================================== インストール 1 パッケージ ダウンロードサイズの合計: 9.3 M インストール後のサイズ: 30 M パッケージのダウンロード: buildah-1.34.0-1.fc39.x86_64.rpm 1.3 MB/s | 9.3 MB 00:07 -------------------------------------------------------------------------------------------------------------- 合計 1.2 MB/s | 9.3 MB 00:07 トランザクションの確認を実行中 トランザクションの確認に成功しました。 トランザクションのテストを実行中 トランザクションのテストに成功しました。 トランザクションを実行中 準備 : 1/1 インストール中 : buildah-1.34.0-1.fc39.x86_64 1/1 scriptletの実行中: buildah-1.34.0-1.fc39.x86_64 1/1 検証 : buildah-1.34.0-1.fc39.x86_64 1/1 インストール済み: buildah-1.34.0-1.fc39.x86_64 完了しました!
動作確認🤔
$ buildah -v
buildah version 1.34.0 (image-spec 1.1.0-rc.5, runtime-spec 1.1.0)
$ skopeo -v
skopeo version 1.14.0
systemd-nspawn
+ ヘルプ [-h,--help]
$ systemd-nspawn --help
systemd-nspawn [OPTIONS...] [PATH] [ARGUMENTS...]
Spawn a command or OS in a light-weight container.
-h --help Show this help
--version Print version string
-q --quiet Do not show status information
--no-pager Do not pipe output into a pager
--settings=BOOLEAN Load additional settings from .nspawn file
Image:
-D --directory=PATH Root directory for the container
--template=PATH Initialize root directory from template directory,
if missing
-x --ephemeral Run container with snapshot of root directory, and
remove it after exit
-i --image=PATH Root file system disk image (or device node) for
the container
--image-policy=POLICY Specify disk image dissection policy
--oci-bundle=PATH OCI bundle directory
--read-only Mount the root directory read-only
--volatile[=MODE] Run the system in volatile mode
--root-hash=HASH Specify verity root hash for root disk image
--root-hash-sig=SIG Specify pkcs7 signature of root hash for verity
as a DER encoded PKCS7, either as a path to a file
or as an ASCII base64 encoded string prefixed by
'base64:'
--verity-data=PATH Specify hash device for verity
--pivot-root=PATH[:PATH]
Pivot root to given directory in the container
Execution:
-a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2
-b --boot Boot up full system (i.e. invoke init)
--chdir=PATH Set working directory in the container
-E --setenv=NAME[=VALUE] Pass an environment variable to PID 1
-u --user=USER Run the command under specified user or UID
--kill-signal=SIGNAL Select signal to use for shutting down PID 1
--notify-ready=BOOLEAN Receive notifications from the child init process
--suppress-sync=BOOLEAN
Suppress any form of disk data synchronization
System Identity:
-M --machine=NAME Set the machine name for the container
--hostname=NAME Override the hostname for the container
--uuid=UUID Set a specific machine UUID for the container
Properties:
-S --slice=SLICE Place the container in the specified slice
--property=NAME=VALUE Set scope unit property
--register=BOOLEAN Register container as machine
--keep-unit Do not register a scope for the machine, reuse
the service unit nspawn is running in
User Namespacing:
--private-users=no Run without user namespacing
--private-users=yes|pick|identity
Run within user namespace, autoselect UID/GID range
--private-users=UIDBASE[:NUIDS]
Similar, but with user configured UID/GID range
--private-users-ownership=MODE
Adjust ('chown') or map ('map') OS tree ownership
to private UID/GID range
-U Equivalent to --private-users=pick and
--private-users-ownership=auto
Networking:
--private-network Disable network in container
--network-interface=HOSTIF[:CONTAINERIF]
Assign an existing network interface to the
container
--network-macvlan=HOSTIF[:CONTAINERIF]
Create a macvlan network interface based on an
existing network interface to the container
--network-ipvlan=HOSTIF[:CONTAINERIF]
Create an ipvlan network interface based on an
existing network interface to the container
-n --network-veth Add a virtual Ethernet connection between host
and container
--network-veth-extra=HOSTIF[:CONTAINERIF]
Add an additional virtual Ethernet link between
host and container
--network-bridge=INTERFACE
Add a virtual Ethernet connection to the container
and attach it to an existing bridge on the host
--network-zone=NAME Similar, but attach the new interface to an
an automatically managed bridge interface
--network-namespace-path=PATH
Set network namespace to the one represented by
the specified kernel namespace file node
-p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]
Expose a container IP port on the host
Security:
--capability=CAP In addition to the default, retain specified
capability
--drop-capability=CAP Drop the specified capability from the default set
--ambient-capability=CAP
Sets the specified capability for the started
process. Not useful if booting a machine.
--no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload
--system-call-filter=LIST|~LIST
Permit/prohibit specific system calls
-Z --selinux-context=SECLABEL
Set the SELinux security context to be used by
processes in the container
-L --selinux-apifs-context=SECLABEL
Set the SELinux security context to be used by
API/tmpfs file systems in the container
Resources:
systemd-nspawn [OPTIONS...] [PATH] [ARGUMENTS...]
Spawn a command or OS in a light-weight container.
-h --help Show this help
--version Print version string
-q --quiet Do not show status information
--no-pager Do not pipe output into a pager
--settings=BOOLEAN Load additional settings from .nspawn file
Image:
-D --directory=PATH Root directory for the container
--template=PATH Initialize root directory from template directory,
if missing
-x --ephemeral Run container with snapshot of root directory, and
remove it after exit
-i --image=PATH Root file system disk image (or device node) for
the container
--image-policy=POLICY Specify disk image dissection policy
--oci-bundle=PATH OCI bundle directory
--read-only Mount the root directory read-only
--volatile[=MODE] Run the system in volatile mode
--root-hash=HASH Specify verity root hash for root disk image
--root-hash-sig=SIG Specify pkcs7 signature of root hash for verity
as a DER encoded PKCS7, either as a path to a file
or as an ASCII base64 encoded string prefixed by
'base64:'
--verity-data=PATH Specify hash device for verity
--pivot-root=PATH[:PATH]
Pivot root to given directory in the container
Execution:
-a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2
-b --boot Boot up full system (i.e. invoke init)
--chdir=PATH Set working directory in the container
-E --setenv=NAME[=VALUE] Pass an environment variable to PID 1
-u --user=USER Run the command under specified user or UID
--kill-signal=SIGNAL Select signal to use for shutting down PID 1
--notify-ready=BOOLEAN Receive notifications from the child init process
--suppress-sync=BOOLEAN
Suppress any form of disk data synchronization
レシピ
トラブルシューティング
公式: podman/troubleshooting.md at main · containers/podman 翻訳
podman/rootless.md at main · containers/podman 翻訳
参考文献
Podman とは - redhat.com
コンテナーの構築、実行、および管理 Red Hat Enterprise Linux 9 | Red Hat Customer Portal
Using Podman with Alfresco - Alfresco Hub
DockerユーザーのためのPodmanとBuildahの紹介 - 赤帽エンジニアブログ
Docker一強の終焉にあたり、押さえるべきContainer事情
Podman in Action - Secure, rootless containers for Kubernetes, microservices, and more Daniel Walsh
Podmanイン・アクション | Daniel Walsh, 磯田雄輝, 井上貴博, 岡田裕輝, 織学, 田中司恩, 德留幸子, 長嶺精彦, 西村拓也, 野間亮志, 燃脇綾子, 八木澤健人 |本 | 通販 | Amazon
How to build tiny container images | Enable Sysadmin 翻訳
Getting started with Buildah | Opensource.com 翻訳
Creating small containers with Buildah | Opensource.com 翻訳
How rootless Buildah works: Building containers in unprivileged environments | Opensource.com 翻訳
16.3. glibc-langpack- でディスク領域の節約 Red Hat Enterprise Linux 8 | Red Hat Customer Portal
Universal Base Images (UBI): イメージ、リポジトリー、パッケージ、およびソースコード - Red Hat Customer Portal
2039261 – dnf --installroot ignores gpg keys in installroot path and requires them to be present in the default path
unix - Start a systemd service inside chroot from a non systemd based rootfs - Super User 翻訳
systemd-nspawn - ArchWiki
rootless: allow binding privileged ports with CAP_NET_BIND_SERVICE file cap · Issue #3212 · containers/podman 翻訳
Is there a way for non-root processes to bind to "privileged" ports on Linux? - Stack Overflow
