podman初探

较新的工具链为podman跑容器，buildah构建镜像，skopeo传输管理镜像。
podman是一个容器引擎，某些方面上对docker进行了改进并可替代其一部分功能，本篇博客基本上是抄了一遍官网安装步骤，列举了遇到的几个坑，想用podman搭一个k3s但是失败了。
podman官网为podman.io

podman官网

可见其自我介绍

Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System. Containers can either be run as root or in rootless mode. Simply put: alias docker=podman.

相比于docker，podman没有守护进程，大部分命令无需root，且podman的命令兼容docker的。

安装过程

参考官网安装说明即可。我用的是ubuntu 19.04，关键步骤如下：

sudo apt-get update -qq
sudo apt-get install -qq -y software-properties-common uidmap
sudo add-apt-repository -y ppa:projectatomic/ppa
sudo apt-get update -qq
sudo apt-get -qq -y install podman

其他发行版看对应段落即可
可简单测试一下

$ podman -v
podman version 1.6.2
$ podman info
host:
  BuildahVersion: 1.11.3
  CgroupVersion: v1
  Conmon:
    package: 'conmon: /usr/libexec/podman/conmon'
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.2, commit: unknown'
  Distribution:
    distribution: ubuntu
    version: "19.04"
  IDMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  MemFree: 398770176
  MemTotal: 3991453696
  OCIRuntime:
    name: runc
    package: 'cri-o-runc: /usr/lib/cri-o-runc/sbin/runc'
    path: /usr/lib/cri-o-runc/sbin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 8190685184
  SwapTotal: 8191471616
  arch: amd64
  cpus: 4
  eventlogger: journald
  hostname: dk-Aspire-5943G
  kernel: 5.0.0-32-generic
  os: linux
  rootless: true
  slirp4netns:
    Executable: /usr/bin/slirp4netns
    Package: 'slirp4netns: /usr/bin/slirp4netns'
    Version: |-
      slirp4netns version 0.4.2
      commit: unknown
  uptime: 3h 11m 43.34s (Approximately 0.12 days)
registries:
  blocked: null
  insecure: null
  search: null
store:
  ConfigFile: /home/dk/.config/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: vfs
  GraphOptions: {}
  GraphRoot: /home/dk/.local/share/containers/storage
  GraphStatus: {}
  ImageStore:
    number: 0
  RunRoot: /run/user/1000
  VolumePath: /home/dk/.local/share/containers/storage/volumes
$ podman --help
manage pods and images

Usage:
  podman [flags]
  podman [command]

Available Commands:
  attach      Attach to a running container
  build       Build an image using instructions from Containerfiles
  commit      Create new image based on the changed container
  container   Manage Containers
  cp          Copy files/folders between a container and the local filesystem
  create      Create but do not start a container
  diff        Inspect changes on container's file systems
  events      Show podman events
  exec        Run a process in a running container
  export      Export container's filesystem contents as a tar archive
  generate    Generated structured data
  healthcheck Manage Healthcheck
  help        Help about any command
  history     Show history of a specified image
  image       Manage images
  images      List images in local storage
  import      Import a tarball to create a filesystem image
  info        Display podman system information
  init        Initialize one or more containers
  inspect     Display the configuration of a container or image
  kill        Kill one or more running containers with a specific signal
  load        Load an image from container archive
  login       Login to a container registry
  logout      Logout of a container registry
  logs        Fetch the logs of a container
  mount       Mount a working container's root filesystem
  network     Manage Networks
  pause       Pause all the processes in one or more containers
  play        Play a pod
  pod         Manage pods
  port        List port mappings or a specific mapping for the container
  ps          List containers
  pull        Pull an image from a registry
  push        Push an image to a specified destination
  restart     Restart one or more containers
  rm          Remove one or more containers
  rmi         Removes one or more images from local storage
  run         Run a command in a new container
  save        Save image to an archive
  search      Search registry for image
  start       Start one or more containers
  stats       Display a live stream of container resource usage statistics
  stop        Stop one or more containers
  system      Manage podman
  tag         Add an additional name to a local image
  top         Display the running processes of a container
  umount      Unmounts working container's root filesystem
  unpause     Unpause the processes in one or more containers
  unshare     Run a command in a modified user namespace
  varlink     Run varlink interface
  version     Display the Podman Version Information
  volume      Manage volumes
  wait        Block on one or more containers

Flags:
      --cgroup-manager string     Cgroup manager is not supported in rootless mode
      --cni-config-dir string     Path of the configuration directory for CNI networks
      --config string             Path of a libpod config file detailing container server configuration options
      --conmon string             Path of the conmon binary
      --cpu-profile string        Path for the cpu profiling results
      --events-backend string     Events backend to use
      --help                      Help for podman
      --hooks-dir strings         Set the OCI hooks directory path (may be set multiple times)
      --log-level string          Log messages above specified level: debug, info, warn, error, fatal or panic (default "error")
      --namespace string          Set the libpod namespace, used to create separate views of the containers and pods on the system
      --network-cmd-path string   Path to the command for configuring the network
      --root string               Path to the root directory in which data, including images, is stored
      --runroot string            Path to the 'run directory' where all state information is stored
      --runtime string            Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc
      --storage-driver string     Select which storage driver is used to manage storage of images and containers (default is overlay)
      --storage-opt stringArray   Used to pass an option to the storage driver
      --syslog                    Output logging information to syslog as well as the console
      --tmpdir string             Path to the tmp directory
      --trace                     Enable opentracing output
  -v, --version                   Version of podman

Use "podman [command] --help" for more information about a command.

由于podman的命令完全兼容docker的，可以设置别名：

$ alias docker=podman
$ alias
alias docker='podman'
（略）

效果为使用docker命令实际上用的是podman

配置registry

未见到podman像docker一样配置registry-mirrors，而是有两个配置文件/etc/containers/registries.d/default.yaml和~/.config/containers/registries.conf。
似乎有效的方式为在配置中加入如下内容：

unqualified-search-registries = ["docker.io"]

[[registry]]
prefix = "docker.io"
location = "uyah70su.mirror.aliyuncs.com"

踩坑

linux版本

截止2019年11月3日，ubuntu 19.10通过apt-get install安装podman还是失败，因为podman的repo中还没有对ubuntu 19.10 Eoan Ermine的支持

取消alias

使用unalias命令

$ unalias docker
$ alias
（略，列出所有别名，可见已无docker）

用podman组建k3s

无论是否有alias docker=podman都会失败，通过journalctl查看k3s日志：

11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.672574217+08:00" level=info msg="Starting /v1, Kind=Node controller"
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.688252   17941 controller.go:606] quota admission added evaluator for: helmcharts.helm.cattle.i
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.759228465+08:00" level=info msg="module br_netfilter was already loaded"
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.759377842+08:00" level=info msg="module overlay was already loaded"
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.759416652+08:00" level=info msg="module nf_conntrack was already loaded"
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.775672300+08:00" level=info msg="Connecting to proxy" url="wss://192.168.3.4:6443/v1
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.780820880+08:00" level=info msg="Handling backend connection request [dk-aspire-5943
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.787235575+08:00" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: W1103 21:21:46.796500   17941 server.go:208] WARNING: all flags other than --config, --write-config-to, and --
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: time="2019-11-03T21:21:46.804874817+08:00" level=info msg="waiting for node dk-aspire-5943g: nodes \"dk-aspire
11月 03 21:21:46 dk-Aspire-5943G systemd[1]: Started Kubernetes systemd probe.
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.818296   17941 server.go:406] Version: v1.16.2-k3s.1
11月 03 21:21:46 dk-Aspire-5943G systemd[1]: run-r4dcf5ad5acdb40369bbf93c377580560.scope: Succeeded.
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: E1103 21:21:46.854039   17941 node.go:124] Failed to retrieve node info: nodes "dk-aspire-5943g" not found
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866160   17941 server.go:637] --cgroups-per-qos enabled, but --cgroup-root was not specified.  
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866738   17941 container_manager_linux.go:272] container manager verified user specified cgroup
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866765   17941 container_manager_linux.go:277] Creating Container Manager object based on Node 
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866910   17941 fake_topology_manager.go:29] [fake topologymanager] NewFakeManager
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866924   17941 container_manager_linux.go:312] Creating device plugin manager: true
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.866956   17941 fake_topology_manager.go:39] [fake topologymanager] AddHintProvider HintProvider
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.867011   17941 state_mem.go:36] [cpumanager] initializing new in-memory state store
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.867156   17941 state_mem.go:84] [cpumanager] updated default cpuset: ""
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.867179   17941 state_mem.go:92] [cpumanager] updated cpuset assignments: "map[]"
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.867200   17941 fake_topology_manager.go:39] [fake topologymanager] AddHintProvider HintProvider
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.867475   17941 kubelet.go:312] Watching apiserver
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.871762   17941 client.go:75] Connecting to docker on unix:///var/run/docker.sock
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: I1103 21:21:46.872291   17941 client.go:104] Start docker client with request timeout=2m0s
11月 03 21:21:46 dk-Aspire-5943G k3s[17941]: F1103 21:21:46.872989   17941 server.go:267] failed to run Kubelet: failed to create kubelet: failed to get do

其中可见Connecting to docker on unix:///var/run/docker.sock，是通过sock而不是docker命令操作docker的