- 1. 什么是podman
- 2. 安装
- 3. 配置
- 3.1 podman包附带文件
- 3.2 /etc/cni
- 3.3 registries.conf
- 3.4 mounts.conf
- 3.5 seccomp.json
- 3.6 policy.json
- 4 镜像管理
- 4.1 镜像搜索
- 4.2 镜像拉取
- 4.3 镜像列出
- 4.4 镜像检查
- 4.5 镜像删除
- 5. 容器管理
- 5.1 容器运行
- 5.2 容器查看
- 5.3 容器停止
- 5.4 容器启动
- 5.5 容器删除
- 5.6 容器checkpoint/restore
- 5.7 容器健康检查
- 5.8 容器用systemd管理
- 6. k8s管理
- 6.1 pod管理
- 6.2 yaml管理
- podman【2】 命令手册
- podman【3】高级管理
1. 什么是podman
Podman是一个无守护进程的开源 Linux 原生工具,旨在使用开放容器倡议 ( OCI )容器和容器映像轻松查找、运行、构建、共享和部署应用程序。Podman 提供了任何使用过 Docker容器引擎的人都熟悉的命令行界面 (CLI) 。大多数用户可以简单地将 Docker 别名为 Podman(别名 docker=podman),没有任何问题,不同的是 Podman 没有 daemon。以前使用 Docker CLI 的时候,Docker CLI 会通过 gRPC API 去跟 Docker Engine 说「我要启动一个容器」,然后 Docker Engine 才会通过 OCI Container runtime(默认是 runc)来启动一个容器。这就意味着容器的进程不可能是 Docker CLI 的子进程,而是 Docker Engine 的子进程。与其他常见的容器引擎(Docker、CRI-O、containerd)类似,Podman 依赖于符合 OCI 的容器运行时(runc、crun、runv 等)与操作系统交互并创建正在运行的容器。这使得 Podman 创建的运行容器与任何其他常见容器引擎创建的容器几乎没有区别。
Podman 比较简单粗暴,它不使用 Daemon,而是直接通过 OCI runtime(默认也是 runc)来启动容器,所以容器的进程是 podman 的子进程。这比较像 Linux 的 fork/exec 模型,而 Docker 采用的是 C/S(客户端/服务器)模型。与 C/S 模型相比,fork/exec 模型有很多优势,比如:
- 系统管理员可以知道某个容器进程到底是谁启动的。
- 如果利用 cgroup 对 podman 做一些限制,那么所有创建的容器都会被限制。
- SD_NOTIFY : 如果将 podman 命令放入 systemd 单元文件中,容器进程可以通过 podman返回通知,表明服务已准备好接收任务。
- socket 激活 : 可以将连接的 socket 从 systemd 传递到 podman,并传递到容器进程以便使用它们。
Podman 控制下的容器可以由 root 或非特权用户运行。Podman 使用libpod库管理整个容器生态系统,包括 pod、容器、容器镜像和容器卷。
有一个 RESTFul API 来管理容器。我们还有一个可以与 RESTFul 服务交互的远程 Podman 客户端。我们目前支持 Linux、Mac 和 Windows 上的客户端。RESTFul 服务仅在 Linux 上受支持。
如果您完全不熟悉容器,我们建议您查看简介。对于高级用户或来自 Docker 的用户,请查看我们的教程。对于高级用户和贡献者,您可以通过查看我们的命令页面来获取有关 Podman CLI 的非常详细的信息。最后,对于寻求如何与 Podman API 交互的开发人员,请参阅我们的 API 文档参考。
2. 安装- 官方安装
我的机器环境CentOS Linux 7
yum -y install podman3. 配置 3.1 podman包附带文件
$ rpm -ql podman |grep -v '/usr/share/man/' # 去除 man 手册中内容 /etc/cni/net.d/87-podman-bridge.conflist /usr/bin/podman /usr/lib/.build-id /usr/lib/.build-id/37 /usr/lib/.build-id/37/e7f04d352e5dbde603e9701baedb0b1be6bc37 /usr/lib/.build-id/9a /usr/lib/.build-id/9a/2b43332ca5756f9e2a086bae9b953009ef5a37 /usr/lib/systemd/system/io.podman.service /usr/lib/systemd/system/io.podman.socket /usr/lib/tmpfiles.d/podman.conf /usr/libexec/podman/conmon /usr/share/bash-completion/completions/podman /usr/share/containers/libpod.conf /usr/share/licenses/podman /usr/share/licenses/podman/LICENSE3.2 /etc/cni
可以看到只有一个配置文件是在 /etc/cni 路径下的,与 Bridge 的配置有关:
$ cat /etc/cni/net.d/87-podman-bridge.conflist
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"type": "bridge",
"bridge": "cni-podman0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"ranges": [
[
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
}
]
]
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall"
}
]
}
3.3 registries.conf
/etc/containers/registries.conf 用于保存 registries 相关配置:
$ cat /etc/containers/registries.conf |grep -v '#' |grep -v ^$ [registries.search] registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io'] [registries.insecure] registries = [] [registries.block] registries = []3.4 mounts.conf
/usr/share/containers/mounts.conf 在执行 podman run 或者 podman build 命令时自动挂载的路径,该路径只会在容器运行时挂载,不会提交到容器镜像中。
$ cat /usr/share/containers/mounts.conf /usr/share/rhel/secrets:/run/secrets3.5 seccomp.json
/usr/share/containers/seccomp.json 是容器内允许的 seccomp 规则白名单。 seccomp(secure computing)是一种安全保护机制,一般情况下,程序可以使用所有的 syscall,但是为了避免安全问题发生,通常会指定相应的规则来保证。
$ cat /usr/share/containers/seccomp.json
{
"defaultAction": "SCMP_ACT_ERRNO",
"archMap": [
{
"architecture": "SCMP_ARCH_X86_64",
"subArchitectures": [
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
]
},
{
"architecture": "SCMP_ARCH_AARCH64",
"subArchitectures": [
"SCMP_ARCH_ARM"
]
},
{
"architecture": "SCMP_ARCH_MIPS64",
"subArchitectures": [
"SCMP_ARCH_MIPS",
"SCMP_ARCH_MIPS64N32"
]
},
·······················
3.6 policy.json
/etc/containers/policy.json 证书安全相关配置:
$ cat /etc/containers/policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
}
4 镜像管理
4.1 镜像搜索
$ podman search busybox INDEX NAME DEscriptION STARS OFFICIAL AUTOMATED docker.io docker.io/library/busybox Busybox base image. 2410 [OK] docker.io docker.io/radial/busyboxplus Full-chain, Internet enabled, busybox made f... 43 [OK] docker.io docker.io/yauritux/busybox-curl Busybox with CURL 16 docker.io docker.io/arm64v8/busybox Busybox base image. 3 docker.io docker.io/vukomir/busybox busybox and curl 1 docker.io docker.io/odise/busybox-curl 4 [OK] docker.io docker.io/amd64/busybox Busybox base image. 0 docker.io docker.io/prom/busybox Prometheus Busybox Docker base images 2 [OK] docker.io docker.io/ppc64le/busybox Busybox base image. 1 docker.io docker.io/s390x/busybox Busybox base image. 2 docker.io docker.io/arm32v7/busybox Busybox base image. 10 docker.io docker.io/i386/busybox Busybox base image. 2 docker.io docker.io/joeshaw/busybox-nonroot Busybox container with non-root user nobody 2 docker.io docker.io/p7ppc64/busybox Busybox base image for ppc64. 2 docker.io docker.io/arm32v5/busybox Busybox base image. 0 docker.io docker.io/arm32v6/busybox Busybox base image. 3 docker.io docker.io/armhf/busybox Busybox base image. 6 docker.io docker.io/mips64le/busybox Busybox base image. 1 docker.io docker.io/spotify/busybox Spotify fork of https://hub.docker.com/_/bus... 1 docker.io docker.io/aarch64/busybox Busybox base image. 3 docker.io docker.io/progrium/busybox 70 [OK] docker.io docker.io/concourse/busyboxplus 0 docker.io docker.io/lqshow/busybox-curl Busybox image adds a curl binary to /usr/bin 1 [OK] docker.io docker.io/emccorp/busybox Busybox 0 docker.io docker.io/ggtools/busybox-ubuntu Busybox ubuntu version with extra goodies 0 [OK]4.2 镜像拉取
$ podman image pull nginx Getting image source signatures Copying blob eff15d958d66 done Copying blob 9171c7ae368c done Copying blob 1e5351450a59 [======================================] 24.2MiB / 24.2MiB Copying blob 020f975acd28 done Copying blob 266f639b35ad done Copying blob 2df63e6ce2be done Copying config ea335eea17 done Writing manifest to image destination Storing signatures ea335eea17ab984571cd4a3bcf90a0413773b559c75ef4cda07d0ce952b002914.3 镜像列出
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/nginx latest ea335eea17ab 12 days ago 146 MB4.4 镜像检查
$ podman image inspect docker.io/library/nginx
[
{
"Id": "ea335eea17ab984571cd4a3bcf90a0413773b559c75ef4cda07d0ce952b00291",
"Digest": "sha256:097c3a0913d7e3a5b01b6c685a60c03632fc7a2b50bc8e35bcaa3691d788226e",
"RepoTags": [
"docker.io/library/nginx:latest"
],
"RepoDigests": [
"docker.io/library/nginx@sha256:097c3a0913d7e3a5b01b6c685a60c03632fc7a2b50bc8e35bcaa3691d788226e",
"docker.io/library/nginx@sha256:2f14a471f2c2819a3faf88b72f56a0372ff5af4cb42ec45aab00c03ca5c9989f"
],
"Parent": "",
"Comment": "",
"Created": "2021-11-17T10:38:14.652464384Z",
"Config": {
"ExposedPorts": {
"80/tcp": {}
},
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"NGINX_VERSION=1.21.4",
"NJS_VERSION=0.7.0",
"PKG_RELEASE=1~bullseye"
],
............................
4.5 镜像删除
$ podman image rm docker.io/library/nginx f949e7d76d63befffc8eec2cbf8a6f509780f96fb3bacbdc24068d594a77f0435. 容器管理 5.1 容器运行
#直接进入好容器 $ podman run -it docker.io/library/busybox #容器在后台运行 $ podman run -itd docker.io/library/busybox --name busybox sh 8d4cf68f9873b19bf8d7ac3a7be4447a9519d931ddfc4162de5ab576c66696af5.2 容器查看
#查看运行的容器 $ podman ps ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4b05d6c539b3 docker.io/library/busybox:latest sh 17 seconds ago Up 16 seconds ago upbeat_lederberg #查看状态为running的容器 $ podman ps -a -f status=running ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4b05d6c539b3 docker.io/library/busybox:latest sh 5 minutes ago Up 3 seconds ago upbeat_lederberg #查看全部容器 $ podman ps -a ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4b05d6c539b3 docker.io/library/busybox:latest sh 2 seconds ago Up 1 second ago upbeat_lederberg 35b58e980d08 docker.io/library/busybox:latest sh 2 minutes ago Exited (0) 46 seconds ago amazing_colden #只看全部容器的ID $ podman ps -aq 4b05d6c539b3 35b58e980d085.3 容器停止
$ podman stop upbeat_lederberg 4b05d6c539b387139cb8488a3b988244f4e317cd616e46d9af87c89b79c4edfa5.4 容器启动
$ podman start upbeat_lederberg upbeat_lederberg5.5 容器删除
#先停止容器再删除 $ podman rm upbeat_lederberg Error: cannot remove container 4b05d6c539b387139cb8488a3b988244f4e317cd616e46d9af87c89b79c4edfa as it is running - running or paused containers cannot be removed without force: container state improper $ podman stop upbeat_lederberg 4b05d6c539b387139cb8488a3b988244f4e317cd616e46d9af87c89b79c4edfa $ podman rm upbeat_lederberg 4b05d6c539b387139cb8488a3b988244f4e317cd616e46d9af87c89b79c4edfa #强制删除正在运行的容器 $ podman ps ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c7fee70ab080 docker.io/library/busybox:latest sh 2 minutes ago Up 2 minutes ago awesome_morse 78717b0f9b0c docker.io/library/busybox:latest sh 2 minutes ago Up 2 minutes ago strange_fermat $ podman rm -f awesome_morse c7fee70ab0805e31b7834f1fd5748e8995a4fc499009ab95e6bf11ae4954b1bd5.6 容器checkpoint/restore
检查点目前仅适用于根容器。因此,您必须以 root 身份运行示例容器。除了为每个命令添加前缀之外 sudo,您还可以通过 预先切换到 root 用户sudo -i。
$ podman run -dt -p 8080:80/tcp docker.io/library/httpd Trying to pull docker.io/library/httpd... Getting image source signatures Copying blob eff15d958d66 skipped: already exists Copying blob 0d58b11d2867 [======================================] 23.0MiB / 23.0MiB Copying blob ab86dc02235d done Copying blob e88da7cb925c done Copying blob ba1caf8ba86c done Copying config ad17c88403 done Writing manifest to image destination Storing signatures 51eb5d6f607c97392426b717326e6fdfc5e066ecd617ac273a34d320e3e9afca $ podman ps ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 51eb5d6f607c docker.io/library/httpd:latest httpd-foreground 13 seconds ago Up 13 seconds ago 0.0.0.0:8080->80/tcp suspicious_jones
检查点容器会停止容器,同时将容器中所有进程的状态写入磁盘。有了这个,容器可以在以后恢复并在与检查点完全相同的时间点继续运行。此功能需要在系统上安装CRIU 3.11或更高版本。
centos安装criu
$ sudo yum install protobuf protobuf-c gcc protobuf-c-devel protobuf-compiler protobuf-devel protobuf-python -y $ sudo yum install pkg-config python-ipaddr libbsd iproute2 libcap-devel libnet-devel libnl3-devel -y $ sudo yum install asciidoc xmlto -y #目前最新版本v3.16,克隆下载 $ git clone -b v3.16 https://github.com/checkpoint-restore/criu.git $ cd criu #编译安装 $ make & make install #检测 $ criu -V Version: 3.16 GitID: v3.16 $ criu check Looks good.
$ podman container checkpoint suspicious_jones ERRO[0000] container is not destroyed ERRO[0000] criu failed: type NOTIFY errno 0 log file: /var/lib/containers/storage/overlay-containers/51eb5d6f607c97392426b717326e6fdfc5e066ecd617ac273a34d320e3e9afca/userdata/dump.log Error: failed to checkpoint container 51eb5d6f607c97392426b717326e6fdfc5e066ecd617ac273a34d320e3e9afca: `/usr/bin/runc checkpoint --image-path /var/lib/containers/storage/overlay-containers/51eb5d6f607c97392426b717326e6fdfc5e066ecd617ac273a34d320e3e9afca/userdata/checkpoint --work-path /var/lib/containers/storage/overlay-containers/51eb5d6f607c97392426b717326e6fdfc5e066ecd617ac273a34d320e3e9afca/userdata 51eb5d6f607c97392426b717326e6fdfc5e066ecd617ac273a34d320e3e9afca` failed: exit status 1
解决方法请参考
$ podman container checkpoint exciting_neumann 2135a176f1b5f75668836c3a4e374cd1bcfc17545414ba5fb41be6558078f470 $ podman container restore exciting_neumann 2135a176f1b5f75668836c3a4e374cd1bcfc17545414ba5fb41be6558078f470 $ podman ps ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2135a176f1b5 docker.io/library/httpd:latest httpd-foreground about an hour ago Up 23 minutes ago 0.0.0.0:8080->80/tcp exciting_neumann
更多细节请参考官方
5.7 容器健康检查健康检查”是一种用户可以确定在容器内运行的主进程的“健康”或准备情况的方式。这不仅仅是一个简单的“我的容器在运行吗?” 题。更像是“我的应用程序准备好了吗?” 因此,健康检查实际上是一种验证容器及其应用程序是否响应的方法。
健康检查由五个基本组成部分组成:
- Command
- Retries
- Interval
- Start-period
- Timeout
$ sudo podman run -dt --name hc1 --healthcheck-command 'CMD-SHELL curl http://localhost || exit 1' --healthcheck-interval=0 quay.io/libpod/alpine_nginx:latest d25ee6faaf6e5e12c09e734b1ac675385fe4d4e8b52504dd01a60e1b726e3edb $ sudo podman healthcheck run hc1 Healthy $ echo $? 0
在podman run命令上,请注意--healthcheck-command定义 healthcheck 命令本身的位置的使用。请记住,这是一个在容器本身“内部”运行的命令。在这种情况下,curl 命令需要存在于容器中。另外,请注意--healthcheck-interval标志及其“0”值。间隔标志定义运行健康检查的时间频率。“0”值表示我们要手动运行健康检查。
healthcheck更多细节请参考
5.8 容器用systemd管理由于 Podman 没有 daemon ,所以没办法像 docker 一样通过指定参数 --restart=always 在 docker 进程启动时自动拉起镜像。 Podman 通过 systemd 来支持该功能。
首先,我们需要准备一个已经可以正常运行的容器:
$ podman ps ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 94de914cfc45 docker.io/library/busybox:latest sh 5 minutes ago Up 5 minutes ago hello
编写 systemd 配置文件,通常默认路径为: /usr/lib/systemd/system/
$ vim /usr/lib/systemd/system/hello.service [Unit] After=network.target [Service] Restart=always ExecStart=/usr/bin/podman start -a hello ExecStop=/usr/bin/podman stop -t 10 hello [Install] WantedBy=multi-user.target
编写完成后,我们需要执行下 systemctl daemon-reload 重新加载一次配置,然后就可以通过 systemctl 来控制容器的启停、开机自启动了。
$ systemctl daemon-reload
$ systemctl status hello
● hello.service
Loaded: loaded (/usr/lib/systemd/system/hello.service; disabled; vendor preset: disabled)
Active: inactive (dead)
$ systemctl start hello
$ systemctl status hello
● hello.service
Loaded: loaded (/usr/lib/systemd/system/hello.service; disabled; vendor preset: disabled)
Active: active (running) since 一 2021-11-29 21:52:50 CST; 3s ago
Main PID: 4760 (podman)
Tasks: 8
CGroup: /system.slice/hello.service
└─4760 /usr/bin/podman start -a hello
11月 29 21:52:50 localhost.localdomain systemd[1]: Started hello.service.
$ systemctl enable hello
Created symlink from /etc/systemd/system/multi-user.target.wants/hello.service to /usr/lib/systemd/system/hello.service.
#停止hello容器
[root@localhost ~]# podman ps
ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
94de914cfc45 docker.io/library/busybox:latest sh 8 minutes ago Up 8 minutes ago hello
[root@localhost ~]# systemctl stop hello
[root@localhost ~]# podman ps
ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
#启动hello容器
[root@localhost ~]# systemctl start hello
[root@localhost ~]# podman ps
ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
94de914cfc45 docker.io/library/busybox:latest sh 9 minutes ago Up 2 seconds ago hello
6. k8s管理
6.1 pod管理
- pod不但管理起来像个docker,它还可以管理pod
- Podman 的 YAML 和 k8s pod yaml 文件格式是兼容的。
首先,我们来创建一个 Pod:
$ podman pod create --name postgresql -p 5432 -p 9187 ERRO[0042] Error freeing pod lock after failed creation: no such file or directory Error: unable to create pod: error adding Infra Container: unable to pull k8s.gcr.io/pause:3.1: unable to pull image: Error initializing source docker://k8s.gcr.io/pause:3.1: error pinging docker registry k8s.gcr.io: Get https://k8s.gcr.io/v2/: dial tcp 74.125.204.82:443: connect: connection refused
如何绕过尴尬的k8s.gcr.io
$ podman pull registry.aliyuncs.com/google_containers/pause:3.1 Trying to pull registry.aliyuncs.com/google_containers/pause:3.1... Getting image source signatures Copying blob 67ddbfb20a22 done Copying config da86e6ba6c [======================================] 1.6KiB / 1.6KiB Writing manifest to image destination Storing signatures da86e6ba6ca197bf6bc5e9d900febd906b133eaa4750e6bed647b0fbe50ed43e $ podman tag registry.aliyuncs.com/google_containers/pause:3.1 k8s.gcr.io/pause:3.1 [root@localhost ~]# podman pod create --name postgresql -p 5432 -p 9187 d6825c6afe78a471d39190c8caf57b7f034e604b2ad64a4d1a2918894d5ae890 #容器模式查看 $ podman ps -a ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2a7e0325d459 registry.aliyuncs.com/google_containers/pause:3.1 22 seconds ago Created 0.0.0.0:5432->5432/tcp d6825c6afe78-infra #pod模式查看 podman pod ls POD ID NAME STATUS CREATED # OF ConTAINERS INFRA ID d6825c6afe78 postgresql Created 2 minutes ago 1 2a7e0325d459 $ podman pod ps POD ID NAME STATUS CREATED # OF ConTAINERS INFRA ID d6825c6afe78 postgresql Created 3 minutes ago 1 2a7e0325d459
运行一个demo
#运行postgress容器 $ podman run -d --pod postgresql -e POSTGRES_PASSWORD=password postgres:latest Trying to pull docker.io/library/postgres:latest... Getting image source signatures Copying blob eff15d958d66 skipped: already exists Copying blob 108afa831d95 done Copying blob 7037ade1772d done Copying blob c877668f09b8 done Copying blob e5821d5963ce done Copying blob 5be06220aa99 done Copying blob de2b4ab3ade5 done Copying blob a60906bcf87f done Copying blob d46bc4e17ddc done Copying blob a1c85f71c941 done Copying blob 69f50e484cab done Copying blob 2f8a286a55a4 done Copying blob 8d590b0d720c done Copying config 577410342f done Writing manifest to image destination Storing signatures 8906e9ea92780c6c550ca4ae26dd398300ddb5d3f518d122bebb88a33a26ffeb #运行postgress_exporter容器 podman run -d --pod postgresql -e DATA_SOURCE_NAME="postgresql://postgres:password@localhost:5432/postgres?sslmode=disable" wrouesnel/postgres_exporter Trying to pull docker.io/wrouesnel/postgres_exporter... Getting image source signatures Copying blob 45b42c59be33 done Copying blob 4634a89d50c2 done Copying blob fbcf7c278f83 done Copying config 9fe9d3d021 done Writing manifest to image destination Storing signatures 36f67b3e0fd06c1385595320288b0e41b183407859c1f4c48abf028599b06971 $ podman ps -a ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 36f67b3e0fd0 docker.io/wrouesnel/postgres_exporter:latest 3 minutes ago Up 3 minutes ago 0.0.0.0:5432->5432/tcp objective_lehmann 8906e9ea9278 docker.io/library/postgres:latest postgres 9 minutes ago Up 9 minutes ago 0.0.0.0:5432->5432/tcp reverent_shaw
首先我们创建了一个 Pod,端口映射是在 Pod 这个级别配置的,然后在这个 Pod 中,我们创建了两个 container,分别是:postgres 和 postgres_exporter ,其中 postgres_exporter 主要是暴露 metrics 用于 Prometheus 抓取进行监控。
我们可以通过 curl 相应端口来验证是否正常工作:
$ curl localhost:9187/metrics
# HELP go_gc_duration_seconds A summary of the GC invocation durations.
# TYPE go_gc_duration_seconds summary
go_gc_duration_seconds{quantile="0"} 0
go_gc_duration_seconds{quantile="0.25"} 0
go_gc_duration_seconds{quantile="0.5"} 0
go_gc_duration_seconds{quantile="0.75"} 0
go_gc_duration_seconds{quantile="1"} 0
go_gc_duration_seconds_sum 0
go_gc_duration_seconds_count 0
·······················
可以看到已经正确的获取到了相应 metrics 数值,可以通过 podman pod top 来获取当前进程状态:
$ podman pod top postgresql USER PID PPID %CPU ELAPSED TTY TIME COMMAND 0 1 0 0.000 11m43.122459727s ? 0s /pause postgres_exporter 1 0 0.000 5m51.124897013s ? 0s /postgres_exporter postgres 1 0 0.000 11m43.127713837s ? 0s postgres postgres 59 1 0.000 11m41.127813057s ? 0s postgres: checkpointer postgres 60 1 0.000 11m41.127878822s ? 0s postgres: background writer postgres 61 1 0.000 11m41.127943364s ? 0s postgres: walwriter postgres 62 1 0.000 11m41.128005075s ? 0s postgres: autovacuum launcher postgres 63 1 0.000 11m41.128133869s ? 0s postgres: stats collector postgres 64 1 0.000 11m41.128229337s ? 0s postgres: logical replication launcher postgres 74 1 0.000 1m49.12829442s ? 0s postgres: postgres postgres ::1(34118) idle6.2 yaml管理
通过 podman generate 命令可以生成 k8s 可用的 YAML 文件:
$ podman generate kube postgresql > postgresql.yaml
$ podman generate kube postgresql
# Generation of Kubernetes YAML is still under development!
#
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-1.6.4
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2021-11-29T14:34:40Z"
labels:
app: postgresql
name: postgresql
spec:
containers:
- env:
- name: PATH
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: TERM
value: xterm
- name: HOSTNAME
value: postgresql
- name: container
value: podman
- name: DATA_SOURCE_NAME
value: postgresql://postgres:password@localhost:5432/postgres?sslmode=disable
image: docker.io/wrouesnel/postgres_exporter:latest
name: objectivelehmann
ports:
- containerPort: 5432
hostPort: 5432
protocol: TCP
- containerPort: 9187
hostPort: 9187
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
runAsUser: 20001
workingDir: /
- command:
- postgres
env:
- name: PATH
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/postgresql/14/bin
- name: TERM
value: xterm
- name: HOSTNAME
value: postgresql
- name: container
value: podman
- name: PGDATA
value: /var/lib/postgresql/data
- name: POSTGRES_PASSWORD
value: password
- name: GOSU_VERSION
value: "1.12"
- name: LANG
value: en_US.utf8
- name: PG_MAJOR
value: "14"
- name: PG_VERSION
value: 14.1-1.pgdg110+1
image: docker.io/library/postgres:latest
name: reverentshaw
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
workingDir: /
status: {}
使用 podman play 命令可以直接创建完整的 Pod 及其所拥有的容器:
podman play kube postgresql.yaml
