Docker/Podman基础应用
Docker/Podman基础应用
- 1.镜像
- 1.1拉取镜像
- 1.2查看本机镜像
- 1.3查看某个本地镜像详情
- 1.4 搜索远端仓库镜像
- 1.5 删除本地镜像
- 1.6 创建本地镜像
- 1.7 上传本地镜像
- 2.容器
- 2.1 创建容器
- 2.2 启动未运行的容器
- 2.3 新建并运行容器
- 2.4 终止容器
- 2.5 进入容器
- 2.6 删除容器
- 2.7 容器迁移
- 3.仓库
- 3.1 在仓库搜索镜像
- 3.2 创建私有镜像仓库
- 3.3 podman客户端配置http支持
- 4.数据管理
- 4.1 数据卷
- 4.1.1创建一个容器内的数据卷,不挂载宿主机目录
- 4.1.2创建一个容器内的数据卷,挂载一个宿主机目录
- 4.2 数据卷容器
- 4.2.1创建一个数据卷容器
- 4.2.2挂载容器中的数据卷
- 5.网络管理
- 5.1 端口映射实现容器访问
- 5.1.1 绑定宿主机任意端口
- 5.1.2 绑定宿主机固定端口
- 5.1.3 绑定宿主机某个地址的固定端口
- 5.1.4 绑定宿主机某个地址的任意一个端口
- 5.1.5 查询容器端口映射配置
- 5.2 容器间网络通信
1.镜像
Docker镜像类似于虚拟机镜像,他是一个已经打包好的系统文件,一个镜像可以包含一个完整的操作系统(例如,CenOS),也可以只包含一个中间件(例如ngxin)。我们可以把操作系统安装文件ISO理解为镜像,而且是只读的。
1.1拉取镜像
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker pull nginx
Trying to pull registry.access.redhat.com/nginx...
unsupported: This repo requires terms acceptance and is only available on registry.redhat.io
Trying to pull registry.fedoraproject.org/nginx...
manifest unknown: manifest unknown
Trying to pull registry.centos.org/nginx...
manifest unknown: manifest unknown
Trying to pull docker.io/library/nginx...
Getting image source signatures
Copying blob f9dc69acb465 done
Copying blob 54fec2fa59d0 done
Copying blob 4ede6f09aefe done
Copying config 602e111c06 done
Writing manifest to image destination
Storing signatures
602e111c06b6934013578ad80554a074049c59441d9bcd963cb4a7feccede7a5
1.2查看本机镜像
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 602e111c06b6 2 days ago 131 MB
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$
1.3查看某个本地镜像详情
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker inspect nginx
[
{
"Id": "602e111c06b6934013578ad80554a074049c59441d9bcd963cb4a7feccede7a5",
"Digest": "sha256:86ae264c3f4acb99b2dee4d0098c40cb8c46dcf9e1148f05d3a51c4df6758c12",
"RepoTags": [
"docker.io/library/nginx:latest"
],
"RepoDigests": [
"docker.io/library/nginx@sha256:86ae264c3f4acb99b2dee4d0098c40cb8c46dcf9e1148f05d3a51c4df6758c12",
"docker.io/library/nginx@sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422"
],
"Parent": "",
"Comment": "",
"Created": "2020-04-23T13:03:01.355887897Z",
"Config": {
"ExposedPorts": {
"80/tcp": {}
},
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"NGINX_VERSION=1.17.10",
"NJS_VERSION=0.3.9",
"PKG_RELEASE=1~buster"
],
"Cmd": [
"nginx",
"-g",
"daemon off;"
],
"Labels": {
"maintainer": "NGINX Docker Maintainers "
},
"StopSignal": "SIGTERM"
},
"Version": "18.09.7",
"Author": "",
"Architecture": "amd64",
"Os": "linux",
"Size": 130614008,
"VirtualSize": 130614008,
"GraphDriver": {
"Name": "overlay",
"Data": {
"LowerDir": "/home/javadm/.local/share/containers/storage/overlay/c16ab5432290c07f1b51f534014942ef173c4f0bf2cf22bcc0429bcc0be55b67/diff:/home/javadm/.local/share/containers/storage/overlay/c2adabaecedbda0af72b153c6499a0555f3a769d52370469d8f6bd6328af9b13/diff",
"UpperDir": "/home/javadm/.local/share/containers/storage/overlay/d8f92083a7db6237a7010074b6bc0d79efce69301be7e5afe7cdd2a4acd8d680/diff",
"WorkDir": "/home/javadm/.local/share/containers/storage/overlay/d8f92083a7db6237a7010074b6bc0d79efce69301be7e5afe7cdd2a4acd8d680/work"
}
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:c2adabaecedbda0af72b153c6499a0555f3a769d52370469d8f6bd6328af9b13",
"sha256:216cf33c0a2877e88bd687ced2d05331f442b8490962469220a3a63bf2aad3b0",
"sha256:b3003aac411c1d650bc4e3757ad96afe8f98a99b81c4e760e09c6542ee674289"
]
},
"Labels": {
"maintainer": "NGINX Docker Maintainers "
},
"Annotations": {},
"ManifestType": "application/vnd.docker.distribution.manifest.v2+json",
"User": "",
"History": [
{
"created": "2020-04-23T00:20:32.126556976Z",
"created_by": "/bin/sh -c #(nop) ADD file:9b8be2b52ee0fa31da1b6256099030b73546253a57e94cccb24605cd888bb74d in / "
},
{
"created": "2020-04-23T00:20:32.391326355Z",
"created_by": "/bin/sh -c #(nop) CMD [\"bash\"]",
"empty_layer": true
},
{
"created": "2020-04-23T13:02:24.647346893Z",
"created_by": "/bin/sh -c #(nop) LABEL maintainer=NGINX Docker Maintainers ",
"empty_layer": true
},
{
"created": "2020-04-23T13:02:24.951828955Z",
"created_by": "/bin/sh -c #(nop) ENV NGINX_VERSION=1.17.10",
"empty_layer": true
},
{
"created": "2020-04-23T13:02:25.259326754Z",
"created_by": "/bin/sh -c #(nop) ENV NJS_VERSION=0.3.9",
"empty_layer": true
},
{
"created": "2020-04-23T13:02:25.59142152Z",
"created_by": "/bin/sh -c #(nop) ENV PKG_RELEASE=1~buster",
"empty_layer": true
},
{
"created": "2020-04-23T13:02:59.072951853Z",
"created_by": "/bin/sh -c set -x && addgroup --system --gid 101 nginx && adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos \"nginx user\" --shell /bin/false --uid 101 nginx && apt-get update && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates && NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; found=''; for server in ha.pool.sks-keyservers.net hkp://keyserver.ubuntu.com:80 hkp://p80.pool.sks-keyservers.net:80 pgp.mit.edu ; do echo \"Fetching GPG key $NGINX_GPGKEY from $server\"; apt-key adv --keyserver \"$server\" --keyserver-options timeout=10 --recv-keys \"$NGINX_GPGKEY\" && found=yes && break; done; test -z \"$found\" && echo >&2 \"error: failed to fetch GPG key $NGINX_GPGKEY\" && exit 1; apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* && dpkgArch=\"$(dpkg --print-architecture)\" && nginxPackages=\" nginx=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-${PKG_RELEASE} \" && case \"$dpkgArch\" in amd64|i386) echo \"deb https://nginx.org/packages/mainline/debian/ buster nginx\" >> /etc/apt/sources.list.d/nginx.list && apt-get update ;; *) echo \"deb-src https://nginx.org/packages/mainline/debian/ buster nginx\" >> /etc/apt/sources.list.d/nginx.list && tempDir=\"$(mktemp -d)\" && chmod 777 \"$tempDir\" && savedAptMark=\"$(apt-mark showmanual)\" && apt-get update && apt-get build-dep -y $nginxPackages && ( cd \"$tempDir\" && DEB_BUILD_OPTIONS=\"nocheck parallel=$(nproc)\" apt-get source --compile $nginxPackages ) && apt-mark showmanual | xargs apt-mark auto > /dev/null && { [ -z \"$savedAptMark\" ] || apt-mark manual $savedAptMark; } && ls -lAFh \"$tempDir\" && ( cd \"$tempDir\" && dpkg-scanpackages . > Packages ) && grep '^Package: ' \"$tempDir/Packages\" && echo \"deb [ trusted=yes ] file://$tempDir ./\" > /etc/apt/sources.list.d/temp.list && apt-get -o Acquire::GzipIndexes=false update ;; esac && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages gettext-base && apt-get remove --purge --auto-remove -y ca-certificates && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list && if [ -n \"$tempDir\" ]; then apt-get purge -y --auto-remove && rm -rf \"$tempDir\" /etc/apt/sources.list.d/temp.list; fi"
},
{
"created": "2020-04-23T13:03:00.368933408Z",
"created_by": "/bin/sh -c ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log"
},
{
"created": "2020-04-23T13:03:00.732751286Z",
"created_by": "/bin/sh -c #(nop) EXPOSE 80",
"empty_layer": true
},
{
"created": "2020-04-23T13:03:01.05357517Z",
"created_by": "/bin/sh -c #(nop) STOPSIGNAL SIGTERM",
"empty_layer": true
},
{
"created": "2020-04-23T13:03:01.355887897Z",
"created_by": "/bin/sh -c #(nop) CMD [\"nginx\" \"-g\" \"daemon off;\"]",
"empty_layer": true
}
]
}
]
1.4 搜索远端仓库镜像
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker search mysql
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
redhat.com registry.access.redhat.com/rhscl/mysql-57-rhel7 Docker image for running MySQL 5.7 server. T... 0
redhat.com registry.access.redhat.com/rhscl/mysql-56-rhel7 MySQL 5.6 SQL database server 0
redhat.com registry.access.redhat.com/openshift3/mysql-55-rhel7 MySQL 5.5 SQL database server 0
redhat.com registry.access.redhat.com/openshift3/mysql-apb Ansible Playbook Bundle application definiti... 0
redhat.com registry.access.redhat.com/rhmap45/mysql Provides an extension to the RHSCL MySQL ima... 0
redhat.com registry.access.redhat.com/rhmap44/mysql Provides an extension to the RHSCL MySQL Doc... 0
redhat.com registry.access.redhat.com/rhmap42/mysql Provides an extension to the RHSCL MySQL Doc... 0
redhat.com registry.access.redhat.com/rhmap43/mysql Provides an extension to the RHSCL MySQL Doc... 0
redhat.com registry.access.redhat.com/rhmap46/mysql Provides an extension to the RHSCL MySQL ima... 0
redhat.com registry.access.redhat.com/rhmap47/mysql Provides an extension to the RHSCL MySQL ima... 0
redhat.com registry.access.redhat.com/rhscl/mysql-80-rhel7 This container image provides a containerize... 0
centos.org registry.centos.org/centos/mysql-56-centos7 0
centos.org registry.centos.org/centos/mysql-57-centos7 0
centos.org registry.centos.org/centos/mysql-80-centos7 0
docker.io docker.io/library/mysql MySQL is a widely used, open-source relation... 9412 [OK]
docker.io docker.io/mysql/mysql-server Optimized MySQL Server Docker images. Create... 688 [OK]
docker.io docker.io/circleci/mysql MySQL is a widely used, open-source relation... 19
docker.io docker.io/bitnami/mysql Bitnami MySQL Docker Image 39 [OK]
docker.io docker.io/mysql/mysql-cluster Experimental MySQL Cluster Docker images. Cr... 66
docker.io docker.io/schickling/mysql-backup-s3 Backup MySQL to S3 (supports periodic backup... 29 [OK]
docker.io docker.io/centos/mysql-57-centos7 MySQL 5.7 SQL database server 74
docker.io docker.io/ansibleplaybookbundle/mysql-apb An APB which deploys RHSCL MySQL 2 [OK]
docker.io docker.io/deitch/mysql-backup REPLACED! Please use http://hub.docker.com/r... 41 [OK]
docker.io docker.io/centos/mysql-56-centos7 MySQL 5.6 SQL database server 19
docker.io docker.io/arey/mysql-client Run a MySQL client from a docker container 13 [OK]
docker.io docker.io/mysql/mysql-router MySQL Router provides transparent routing be... 15
docker.io docker.io/library/mariadb MariaDB is a community-developed fork of MyS... 3392 [OK]
docker.io docker.io/centurylink/mysql Image containing mysql. Optimized to be link... 61 [OK]
docker.io docker.io/linuxserver/mysql A Mysql container, brought to you by LinuxSe... 25
docker.io docker.io/openshift/mysql-55-centos7 DEPRECATED: A Centos7 based MySQL v5.5 image... 6
docker.io docker.io/widdpim/mysql-client Dockerized MySQL Client (5.7) including Curl... 0 [OK]
docker.io docker.io/prom/mysqld-exporter 27 [OK]
docker.io docker.io/tutum/mysql Base docker image to run a MySQL database se... 34
docker.io docker.io/jelastic/mysql An image of the MySQL database server mainta... 1
docker.io docker.io/fradelg/mysql-cron-backup MySQL/MariaDB database backup using cron tas... 6 [OK]
docker.io docker.io/databack/mysql-backup Back up mysql databases to... anywhere! 15
docker.io docker.io/devilbox/mysql Retagged MySQL, MariaDB and PerconaDB offici... 3
docker.io docker.io/monasca/mysql-init A minimal decoupled init container for mysql 0
docker.io docker.io/genschsa/mysql-employees MySQL Employee Sample Database 5 [OK]
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$
1.5 删除本地镜像
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 602e111c06b6 2 days ago 131 MB
registry.access.redhat.com/rhscl/mysql-57-rhel7 latest 60726b33a00a 6 months ago 448 MB
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker rmi registry.access.redhat.com/rhscl/mysql-57-rhel7
Untagged: registry.access.redhat.com/rhscl/mysql-57-rhel7:latest
Deleted: 60726b33a00a2c3be60e25c3270a34a9b147db86602f05a71988a1c92a70cebc
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 602e111c06b6 2 days ago 131 MB
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$
docker rmi 后面跟tag名称时,只会根据tag名称删除,后面跟镜像ID时会尝试删除所有该ID的镜像。
如果该镜像已经被运行了容器,删除镜像前需要先删除容器。
1.6 创建本地镜像
待续
1.7 上传本地镜像
待续
2.容器
Docker容器类似于一个轻量级的隔离环境,他包含一个简易版的Linux系统环境(root用户权限、进程空间、用户空间和网络空间)。容器可以理解为通过镜像加载好的一个操作系统环境,镜像是只读的,但是上层有一个面对用户的层,可以有写权限。容器也可以理解为镜像的一个实例化对象。
2.1 创建容器
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker create -it docker.io/library/nginx
e8af9225bedbc74fd79ea1736af3472b8ec900a4d807e7459a69c7b84ca067f1
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e8af9225bedb docker.io/library/nginx:latest nginx -g daemon o... About a minute ago Created thirsty_raman
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$
创建一个容器后,默认是未运行的,需要手工启动它。
2.2 启动未运行的容器
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e8af9225bedb docker.io/library/nginx:latest nginx -g daemon o... About a minute ago Created thirsty_raman
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker start e8af9225bedb
e8af9225bedbc74fd79ea1736af3472b8ec900a4d807e7459a69c7b84ca067f1
2.3 新建并运行容器
新建一个自动停止的容器
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker run ubuntu /bin/echo 'Hello China'
Hello China
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f3aa14575d05 docker.io/library/ubuntu:latest /bin/echo Hello C... 4 seconds ago Exited (0) 4 seconds ago elated_galois
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$
运行一个ubuntu容器,并使用echo打印一个字符串。
新建一个打开伪终端和标准输入的容器
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker run -t -i ubuntu /bin/bash
root@7e6725eeaa64:/# ps -a
PID TTY TIME CMD
8 pts/0 00:00:00 ps
root@7e6725eeaa64:/# pwd
/
root@7e6725eeaa64:/#
其中,-t选项让Docker分配一个伪终端,-i让容器的标准输入保持打开。用户可以输入exit或CTRL+D退出容器,容器自动关闭,状态为已关闭状态。
2.4 终止容器
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker stop 7e6725eeaa64
7e6725eeaa64ef9980fb9cbbb40e01d2f146443f1d1421066cd1ac17455e946e
2.5 进入容器
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker run -idt ubuntu
f5c3d70640540d3264b30773f4f411606f4d2b3d55b4405d77b340fa618f015c
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f5c3d7064054 docker.io/library/ubuntu:latest /bin/bash 4 seconds ago Up 4 seconds ago compassionate_swanson
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker exec -it f5c3d7064054 /bin/bash
root@f5c3d7064054:/# ps
PID TTY TIME CMD
8 pts/1 00:00:00 bash
15 pts/1 00:00:00 ps
root@f5c3d7064054:/# pwd
/
root@f5c3d7064054:/#
使用exec 进入到一个容器,并启动一个bash
2.6 删除容器
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f5c3d7064054 docker.io/library/ubuntu:latest /bin/bash 8 minutes ago Up 8 minutes ago compassionate_swanson
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker stop f5c3d7064054
f5c3d70640540d3264b30773f4f411606f4d2b3d55b4405d77b340fa618f015c
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f5c3d7064054 docker.io/library/ubuntu:latest /bin/bash 8 minutes ago Exited (0) 3 seconds ago compassionate_swanson
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker rm f5c3d7064054
f5c3d70640540d3264b30773f4f411606f4d2b3d55b4405d77b340fa618f015c
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$
一般建议stop容器,再删除容器,最后确认删除了。
2.7 容器迁移
容器导出到一个文件
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5ce4afcbf5d6 docker.io/library/ubuntu:latest /bin/bash 2 minutes ago Up 2 minutes ago trusting_dubinsky
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker export 5ce >ubuntu_run_1.tar
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ ll
total 74452
-rw-r--r-- 1 javadm javgrp 76237312 Apr 25 23:58 ubuntu_run_1.tar
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ du -sh ubuntu_run_1.tar
73M ubuntu_run_1.tar
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ pwd
/home/javadm
容器从文件导入
[javadm@instance-2 ~]$ ll
total 74452
-rw-r--r--. 1 javadm javgrp 76237312 Apr 26 03:04 ubuntu_run_1.tar
[javadm@instance-2 ~]$ cat ubuntu_run_1.tar |docker import - test/ubuntu:v1.0
Getting image source signatures
Copying blob cef6a2dabb47 done
Copying config 7b5308bcc5 done
Writing manifest to image destination
Storing signatures
7b5308bcc59de8ccc8acbbf4ca424364ae4bfbec44b0700ca3c8eddf855b4bbb
[javadm@instance-2 ~]$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/test/ubuntu v1.0 7b5308bcc59d About a minute ago 76.2 MB
[javadm@instance-2 ~]$ docker run -it 7b5308bcc59d /bin/bash
root@e66a42e9bc02:/# cd /tmp/
root@e66a42e9bc02:/tmp# ll
total 4
drwxrwxrwt. 2 root root 28 Apr 25 15:56 ./
drwxr-xr-x. 2 root root 6 Apr 26 03:09 ../
-rw-r--r--. 1 root root 12 Apr 25 15:57 file_at_docker
root@e66a42e9bc02:/tmp# cat file_at_docker
hello world
root@e66a42e9bc02:/tmp# exit
exit
ERRO[0145] unable to close namespace: "close /proc/25407/ns/user: bad file descriptor"
[javadm@instance-2 ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e66a42e9bc02 docker.io/test/ubuntu:v1.0 /bin/bash 2 minutes ago Exited (0) 5 seconds ago focused_gagarin
[javadm@instance-2 ~]$
cat ubuntu_run_1.tar |docker import - test/ubuntu:v1.0 通过文件导入镜像,然后使用docker run运行该镜像,会自动生成一个容器。
3.仓库
Docker仓库,类似于代码仓库,是Docker集中存放镜像文件的地方。我们可以把存放ISO镜像光盘的书架,理解为仓库。目前最大的Docker仓库是Docker Hub,里面存放了大量的镜像供用户下载。
3.1 在仓库搜索镜像
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker search ansible
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
redhat.com registry.access.redhat.com/cloudforms46/cfme-openshift-embedded-ansible Ansible Automation image that provides Ansib... 0
redhat.com registry.access.redhat.com/ansible-runner-11/ansible-runner Ansible Runner is a component for reliable, ... 0
redhat.com registry.access.redhat.com/openshift3/apb-tools Ansible Playbook Bundle (APB) tools to assis... 0
redhat.com registry.access.redhat.com/ansible-tower-34/ansible-tower-messaging Red Hat Ansible Tower is a fully-featured au... 0
redhat.com registry.access.redhat.com/ansible-tower-34/ansible-tower-memcached Red Hat Ansible Tower is a fully-featured au... 0
......
3.2 创建私有镜像仓库
本地新建私有仓库
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker run -idt -p 5000:5000 -v /tmp/data/registry:/tmp/registry registry
f10c2d0d3648c7aac72ef056f087f83447e3fa3aa3c3e80d801eca3c60a25792
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f10c2d0d3648 docker.io/library/registry:latest /etc/docker/regis... 5 seconds ago Up 5 seconds ago 0.0.0.0:5000->5000/tcp wonderful_keldysh
b7ed62ac0656 docker.io/library/registry:latest /etc/docker/regis... 10 minutes ago Exited (2) 2 minutes ago 0.0.0.0:5000->5000/tcp hungry_driscoll
将本机的镜像push到私有仓库
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker tag docker.io/library/nginx:latest 127.0.0.1:5000/test
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1:5000/test latest 602e111c06b6 2 days ago 131 MB
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$ podman push 127.0.0.1:5000/test
Getting image source signatures
Copying blob b3003aac411c done
Copying blob c2adabaecedb done
Copying blob 216cf33c0a28 done
Copying config 602e111c06 done
Writing manifest to image destination
Storing signatures
[javadm@iZj6cdyw9ivwn9a3j8q0nzZ ~]$
给本地镜像打个tag并push到私有仓库
将远程的私有库的镜像pull到本地仓库
[robin@instance-2 ~]$ podman pull 47.52.22.186:5000/ubuntu-robin2 --log-level=debug
DEBU[0000] Using conmon: "/usr/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/robin/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/robin/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000
DEBU[0000] Using static dir /home/robin/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/robin/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Not configuring container store
DEBU[0000] Initializing event backend journald
DEBU[0000] using runtime "/usr/bin/runc"
DEBU[0000] Using conmon: "/usr/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/robin/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/robin/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000
DEBU[0000] Using static dir /home/robin/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/robin/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false
DEBU[0000] Initializing event backend journald
DEBU[0000] using runtime "/usr/bin/runc"
INFO[0000] running as rootless
DEBU[0000] Using conmon: "/usr/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/robin/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/robin/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000
DEBU[0000] Using static dir /home/robin/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/robin/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Initializing event backend journald
DEBU[0000] using runtime "/usr/bin/runc"
DEBU[0000] parsed reference into "[overlay@/home/robin/.local/share/containers/storage+/run/user/1000:overlay.mount_program=/usr/bin/fuse-overlayfs]47.52.22.186:5000/ubuntu-robin2:latest"
Trying to pull 47.52.22.186:5000/ubuntu-robin2...
DEBU[0000] reference rewritten from '47.52.22.186:5000/ubuntu-robin2:latest' to '47.52.22.186:5000/ubuntu-robin2:latest'
DEBU[0000] Trying to pull "47.52.22.186:5000/ubuntu-robin2:latest"
DEBU[0000] Credentials not found
DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration
DEBU[0000] Using "default-docker" configuration
DEBU[0000] No signature storage configuration found for 47.52.22.186:5000/ubuntu-robin2:latest
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/47.52.22.186:5000
DEBU[0000] GET https://47.52.22.186:5000/v2/
DEBU[0000] Ping https://47.52.22.186:5000/v2/ err Get https://47.52.22.186:5000/v2/: http: server gave HTTP response to HTTPS client (&url.Error{Op:"Get", URL:"https://47.52.22.186:5000/v2/", Err:(*errors.errorString)(0xc000373330)})
DEBU[0000] GET http://47.52.22.186:5000/v2/
DEBU[0000] Ping http://47.52.22.186:5000/v2/ status 200
DEBU[0000] GET http://47.52.22.186:5000/v2/ubuntu-robin2/manifests/latest
DEBU[0000] Using blob info cache at /home/robin/.local/share/containers/cache/blob-info-cache-v1.boltdb
DEBU[0000] IsRunningImageAllowed for image docker:47.52.22.186:5000/ubuntu-robin2:latest
DEBU[0000] Using default policy section
DEBU[0000] Requirement 0: allowed
DEBU[0000] Overall: allowed
DEBU[0000] Downloading /v2/ubuntu-robin2/blobs/sha256:1d622ef86b138c7e96d4f797bf5e4baca3249f030c575b9337638594f2b63f01
DEBU[0000] GET http://47.52.22.186:5000/v2/ubuntu-robin2/blobs/sha256:1d622ef86b138c7e96d4f797bf5e4baca3249f030c575b9337638594f2b63f01
Getting image source signatures
DEBU[0000] Manifest has MIME type application/vnd.docker.distribution.manifest.v2+json, ordered candidate list [application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribution.manifest.v1+json]
DEBU[0000] ... will first try using the original manifest unmodified
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false
DEBU[0000] Downloading /v2/ubuntu-robin2/blobs/sha256:d1ccda578660acdc3df1251fb5feec3b6456be5e0c903ba85063de4c936ec070
DEBU[0000] GET http://47.52.22.186:5000/v2/ubuntu-robin2/blobs/sha256:d1ccda578660acdc3df1251fb5feec3b6456be5e0c903ba85063de4c936ec070
DEBU[0000] Downloading /v2/ubuntu-robin2/blobs/sha256:78a54e4c2391d5ac21011f1368ec928e69c46a1a1f52f4ba0e1566e7881b406d
DEBU[0000] GET http://47.52.22.186:5000/v2/ubuntu-robin2/blobs/sha256:78a54e4c2391d5ac21011f1368ec928e69c46a1a1f52f4ba0e1566e7881b406d
DEBU[0000] Downloading /v2/ubuntu-robin2/blobs/sha256:738c524be39b5f4fa54032fb2b389df9d8ed922519711fab633a2771d348866f
DEBU[0000] GET http://47.52.22.186:5000/v2/ubuntu-robin2/blobs/sha256:738c524be39b5f4fa54032fb2b389df9d8ed922519711fab633a2771d348866f
DEBU[0000] Downloading /v2/ubuntu-robin2/blobs/sha256:7961e061339529159a00915f94a586e461100b2aaf331021342a580b7d30d79d
DEBU[0000] GET http://47.52.22.186:5000/v2/ubuntu-robin2/blobs/sha256:7961e061339529159a00915f94a586e461100b2aaf331021342a580b7d30d79d
DEBU[0000] Detected compression format gzip
DEBU[0000] Using original blob without modification
DEBU[0000] Detected compression format gzip
DEBU[0000] Using original blob without modification
DEBU[0000] Detected compression format gzip
DEBU[0000] Using original blob without modification
DEBU[0000] Detected compression format gzip
DEBU[0000] Using original blob without modification
Copying blob 738c524be39b done
Copying blob d1ccda578660 done
Copying blob 78a54e4c2391 done
Copying blob 7961e0613395 done
DEBU[0044] No compression detected
DEBU[0044] Using original blob without modification
Copying config 1d622ef86b done
Writing manifest to image destination
Storing signatures
DEBU[0044] setting image creation date to 2020-04-24 01:07:51.928109369 +0000 UTC
DEBU[0044] reusing image ID "1d622ef86b138c7e96d4f797bf5e4baca3249f030c575b9337638594f2b63f01"
DEBU[0044] set names of image "1d622ef86b138c7e96d4f797bf5e4baca3249f030c575b9337638594f2b63f01" to [47.52.22.186:5000/ubuntu-robin2:latest docker.io/library/ubuntu:latest]
DEBU[0044] saved image metadata "{\"signatures-sizes\":{\"sha256:f7886a8214857ddcb06b4b3117185850b34aba270b494aa30b9f57f0e8a25de7\":[]}}"
DEBU[0044] parsed reference into "[overlay@/home/robin/.local/share/containers/storage+/run/user/1000:overlay.mount_program=/usr/bin/fuse-overlayfs]47.52.22.186:5000/ubuntu-robin2:latest"
1d622ef86b138c7e96d4f797bf5e4baca3249f030c575b9337638594f2b63f01
[robin@instance-2 ~]$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
47.52.22.186:5000/ubuntu-robin2 latest 1d622ef86b13 2 days ago 76.3 MB
docker.io/library/ubuntu latest 1d622ef86b13 2 days ago 76.3 MB
registry.centos.org/centos latest 0d53c857b224 3 months ago 210 MB
[robin@instance-2 ~]$
[javadm@instance-2 ~]$ docker run -it 1d62 /bin/bash
root@d5e33abf1f91:/# pwd
/
root@d5e33abf1f91:/# whoami
root
root@d5e33abf1f91:/#
3.3 podman客户端配置http支持
参考:https://computingforgeeks.com/create-docker-container-registry-with-podman-letsencrypt/
默认情况下,podman客户端使用https设置,如果pull或者push调用的仓库是http的,就会报错
[javadm@instance-2 ~]$ podman pull 47.52.22.186:5000/ubuntu-robin2
Trying to pull 47.52.22.186:5000/ubuntu-robin2...
Get https://47.52.22.186:5000/v2/: http: server gave HTTP response to HTTPS client
Error: error pulling image "47.52.22.186:5000/ubuntu-robin2": unable to pull 47.52.22.186:5000/ubuntu-robin2: unable to pull image: Error initializing source docker://47.52.22.186:5000/ubuntu-robin2:latest: error pinging docker registry 47.52.22.186:5000: Get https://47.52.22.186:5000/v2/: http: server gave HTTP response to HTTPS client
[javadm@instance-2 ~]$
我们可以这样对客户端开启http
[robin@instance-2 ~]$ cat /etc/containers/registries.conf
[registries.insecure]
registries = ['myregistry.local','47.52.22.186:5000']
默认情况下,这个registries=[]
4.数据管理
docker容器运行的时候,内部肯定会产生数据,默认情况下docker内部的磁盘会自动映射到宿主机的磁盘,但是我们不知道数据放在哪。我们想查看容器内的数据,一般都要登陆到容器中查看。不过,早就有人考虑到这个问题了,实现了容器内数据管理的多种方式。
4.1 数据卷
数据卷的使用,类似于linux下对目录或文件进行mount的操作。
4.1.1创建一个容器内的数据卷,不挂载宿主机目录
[javadm@aliyun-hk2 ~]$ docker run -idt -p 8080:8080 -v /webapp /home/javadm/webapp docker.io/library/nginx /bin/bash
Error: unable to pull /home/javadm/webapp: error getting default registries to try: invalid reference format
[javadm@aliyun-hk2 ~]$ docker run -idt -p 8080:8080 -v /webapp docker.io/library/nginx /bin/bash
24122d338c8bcc8e3e631778823629e7b963e25ddacf597c7017407474244472
[javadm@aliyun-hk2 ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
24122d338c8b docker.io/library/nginx:latest /bin/bash 8 seconds ago Up 8 seconds ago 0.0.0.0:8080->8080/tcp nifty_heisenberg
f10c2d0d3648 docker.io/library/registry:latest /etc/docker/regis... 5 hours ago Up About an hour ago 0.0.0.0:5000->5000/tcp wonderful_keldysh
[javadm@aliyun-hk2 ~]$ docker exec -it 24122d338c8b /bin/bash
root@24122d338c8b:/# pwd
/
root@24122d338c8b:/# whoami
root
root@24122d338c8b:/# ls /webapp/
root@24122d338c8b:/#
使用-v参数创建一个docker内的数据卷。
4.1.2创建一个容器内的数据卷,挂载一个宿主机目录
[javadm@aliyun-hk2 ~]$ docker run -idt -p 8081:80 -v /home/javadm/webapp:/opt/webapp docker.io/library/nginx /bin/bash
7dee9a3bbb1414df18032fa15019b593a77789fe279969236f99c9cc6f3a91a6
[javadm@aliyun-hk2 ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7dee9a3bbb14 docker.io/library/nginx:latest /bin/bash 4 seconds ago Up 4 seconds ago 0.0.0.0:8081->80/tcp frosty_mirzakhani
[javadm@aliyun-hk2 ~]$ ls ./webapp/
[javadm@aliyun-hk2 ~]$ docker exec -it 7dee9a3bbb14 /bin/bash
root@7dee9a3bbb14:/# cd /opt/webapp/
root@7dee9a3bbb14:/opt/webapp# echo hello >file_at_docker_7dee9a3bbb14
root@7dee9a3bbb14:/opt/webapp# cat file_at_docker_7dee9a3bbb14
hello
root@7dee9a3bbb14:/opt/webapp# exit
exit
[javadm@aliyun-hk2 ~]$ ls ./webapp/file_at_docker_7dee9a3bbb14
./webapp/file_at_docker_7dee9a3bbb14
[javadm@aliyun-hk2 ~]$ cat ./webapp/file_at_docker_7dee9a3bbb14
hello
将宿主机/home/javadm/webapp目录映射到容器内/opt/webapp
4.2 数据卷容器
数据卷容器相当于通过单独的一个容器创建一个网路存储,然后别的docker可以直接挂载这个网络存储并且使用它。
4.2.1创建一个数据卷容器
[javadm@aliyun-hk2 webapp]$ docker run -it -v /dbdata --name dbdata ubuntu
root@3bd825b8e4f2:/# cd /dbdata/
root@3bd825b8e4f2:/dbdata# ll
total 0
drwxr-xr-x 2 root root 6 Apr 26 13:02 ./
drwxr-xr-x 2 root root 6 Apr 26 13:02 ../
root@3bd825b8e4f2:/dbdata# touch dbdata_file1
root@3bd825b8e4f2:/dbdata# touch dbdata_file2
root@3bd825b8e4f2:/dbdata# exit
exit
其实就是启动一个普通容器,并创建一个数据卷而已。
4.2.2挂载容器中的数据卷
[javadm@aliyun-hk2 webapp]$ docker run -it --volumes-from dbdata --name db1 ubuntu
root@d419826cd3ef:/# ls /dbdata/
dbdata_file1 dbdata_file2
root@d419826cd3ef:/# cat /dbdata/dbdata_file1
root@d419826cd3ef:/# cat /dbdata/dbdata_file2
root@d419826cd3ef:/# exit
exit
[javadm@aliyun-hk2 webapp]$ docker run -it --volumes-from dbdata --name db2 ubuntu
root@3002361bdf97:/# ls /dbdata/
dbdata_file1 dbdata_file2
root@3002361bdf97:/#
使用–volumes-from dbdata挂载容器dbdata中的数据卷。
对比下来我觉得数据卷使用更简单、高效,每次让数据卷挂载到宿主机目录是个不错的选择,宿主机这个目录最好选择可靠性高的存储,例如nas等。
5.网络管理
讲完了容器数据管理,再来讲讲容器的网络管理。默认情况下,容器外无法访问容器内的网络服务,所以这个时候可以通过端口映射实现外部访问。
5.1 端口映射实现容器访问
5.1.1 绑定宿主机任意端口
[javadm@aliyun-hk2 webapp]$ docker run -idt -P docker.io/library/nginx
c042bcdc21acdab92acb29c0b06c17e75bfe068457c5ab02a85e3e97d4ed530f
[javadm@aliyun-hk2 webapp]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c042bcdc21ac docker.io/library/nginx:latest nginx -g daemon o... 6 seconds ago Up 6 seconds ago 0.0.0.0:41641->80/tcp wonderful_black
58a78ef4645e docker.io/library/nginx:latest nginx -g daemon o... About a minute ago Exited (0) 39 seconds ago 0.0.0.0:8080->80/tcp nginx-test1
[javadm@aliyun-hk2 webapp]$
[javadm@aliyun-hk2 webapp]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c042bcdc21ac docker.io/library/nginx:latest nginx -g daemon o... 6 seconds ago Up 6 seconds ago 0.0.0.0:41641->80/tcp wonderful_black
[javadm@aliyun-hk2 webapp]$
使用-P参数会将宿主机任意5位数的端口映射到容器内的web服务端口,例如80.
5.1.2 绑定宿主机固定端口
[javadm@aliyun-hk2 webapp]$ docker run -idt -p 8081:80 docker.io/library/nginx
22812b7d5a01e3f169db27d3027029447adb8043dd76e6e08dd2fbb9f7e9d161
[javadm@aliyun-hk2 webapp]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
22812b7d5a01 docker.io/library/nginx:latest nginx -g daemon o... 5 seconds ago Up 5 seconds ago 0.0.0.0:8081->80/tcp sharp_hodgkin
c042bcdc21ac docker.io/library/nginx:latest nginx -g daemon o... 5 minutes ago Up 5 minutes ago 0.0.0.0:41641->80/tcp wonderful_black
58a78ef4645e docker.io/library/nginx:latest nginx -g daemon o... 6 minutes ago Exited (0) 5 minutes ago 0.0.0.0:8080->80/tcp nginx-test1
[javadm@aliyun-hk2 webapp]$
使用-p可以将宿主机某个固定的端口映射到容器内的固定端口,默认会绑定宿主机所有接口上的地址。
5.1.3 绑定宿主机某个地址的固定端口
[javadm@aliyun-hk2 webapp]$ docker run -idt -p 127.0.0.1:8083:80 docker.io/library/nginx
4c0f11253bb8df77eea55e02c24a168915b82da90bc6cf267373b3c35005e78b
[javadm@aliyun-hk2 webapp]$ curl http://127.0.0.1:8083
Welcome to nginx!
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
[javadm@aliyun-hk2 webapp]$ curl http://47.52.22.186:8083
curl: (7) Failed to connect to 47.52.22.186 port 8083: Connection refused
这种情况下,只有会将宿主机固定的接口IP:port跟容器中的端口绑定。
5.1.4 绑定宿主机某个地址的任意一个端口
[javadm@aliyun-hk2 webapp]$ docker run --name nginx-test4 -idt -p 127.0.0.1::80 docker.io/library/nginx
1aea7a5e18dbf21893f8d1a1b6def15ff09ebdafdf3975b8a781669f94689a7e
[javadm@aliyun-hk2 webapp]$ docker ps -a|grep nginx-test4
1aea7a5e18db docker.io/library/nginx:latest nginx -g daemon o... 18 seconds ago Up 18 seconds ago 127.0.0.1:41365->80/tcp nginx-test4
[javadm@aliyun-hk2 webapp]$ curl http://127.0.0.1:41365
Welcome to nginx!
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
[javadm@aliyun-hk2 webapp]$
使用-p ip::port后宿主机会分配任意一个端口并映射到宿主机端口。
5.1.5 查询容器端口映射配置
[javadm@aliyun-hk2 webapp]$ docker port nginx-test4
80/tcp -> 127.0.0.1:41365
docker port container_name
5.2 容器间网络通信
参考:https://www.redhat.com/sysadmin/container-networking-podman
[javadm@aliyun-hk2 webapp]$ podman run --name nginx-test5 -idt -P --rm --pod new:mypod docker.io/library/nginx
965432cabe0ad4df51b7ca86af978f6fc094b5b261b5738561bf7591c5036c60
[javadm@aliyun-hk2 webapp]$ podman run --name nginx-test6 -it --rm --pod mypod docker.io/library/nginx /bin/sh
#
podman已经抛弃了link,两个容器定义到同一个pod中,就可以共享信息了。
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0033799d538e docker.io/library/nginx:latest /bin/sh 23 seconds ago Up 23 seconds ago 0.0.0.0:41867->80/tcp nginx-test6
965432cabe0a docker.io/library/nginx:latest nginx -g daemon o... 2 minutes ago Up 2 minutes ago 0.0.0.0:41867->80/tcp nginx-test5
两个容器名字不一样,但是在一个pod。