Waxaan la soconay mowduuca isticmaalka systemd ee weelasha muddo dheer. Dib ugu noqo 2014, injineerkeena amniga Daniel Walsh ayaa qoray maqaal , iyo dhowr sano ka dib - mid kale, kaas oo loo yaqaan , kaas oo uu ku sheegay in xaaladdu aanay wax badan ka soo rayn. Gaar ahaan, wuxuu qoray in "nasiib darro, xitaa laba sano ka dib, haddii aad google-ka "Docker system", waxa ugu horreeya ee soo baxa waa isla maqaalkiisii ββhore. Markaa waa waqtigii wax la beddeli lahaa.β Intaa waxaa dheer, hore ayaan uga hadalnay .
Maqaalkan waxaan ku tusi doonaa waxa isbeddelay waqti ka dib iyo sida Podman uu nooga caawin karo arrintan.
Waxaa jira sababo badan oo lagu socodsiiyo habdhiska gudaha weelka, sida:
- Weelasha adeega badan - Dad badan ayaa raba inay ka soo saaraan codsiyadooda adeegyada badan ee mashiinnada farsamada gacanta oo ay ku shubaan weel. Way fiicnaan lahayd, dabcan, in la jebiyo codsiyada noocaas ah ee adeegaha yaryar, laakiin qof kastaa ma garanayo sida tan loo sameeyo weli ama si fudud uma haysto waqti. Sidaa darteed, ku socodsiinta codsiyadan sida adeegyada ay soo saareen systemd ka faylalka unugga ayaa macno fiican samaynaya.
- Faylasha Unugga Nidaamsan - Codsiyada intooda badan ee ku dhex jira weelasha waxaa laga dhisay koodh hore ugu shaqayn jiray mashiinada casriga ah ama kuwa jirka ah. Codsiyadani waxay leeyihiin fayl unug ah oo loo qoray codsiyadan oo fahmaya sida ay tahay in loo bilaabo. Markaa wali way fiicantahay in aad bilowdo adeegyada adiga oo isticmaalaya hababka la taageeray, intii aad jabsan lahayd adeeggaaga init.
- Systemd waa maamulaha habsocodka. Waxay maamushaa adeegyada (xidhaa, dib u bilawdaa adeegyada, ama dishaa hababka zombies) si ka fiican qalab kasta oo kale.
Taasi waxay tidhi, waxaa jira sababo badan oo aan lagu shaqeynin weelasha. Midda ugu weyn ayaa ah in systemd/journald ay maamusho wax soo saarka weelasha, iyo aaladaha sida ama Filo in weelasha ay si toos ah ugu qoraan log to stdout iyo stderr. Sidaa darteed, haddii aad rabto in aad ku maarayso weelasha iyada oo loo marayo qalabka orchestration sida kuwa kor ku xusan, waa in aad si dhab ah u tixgelisaa isticmaalka weelasha habaysan. Intaa waxaa dheer, horumarinta Docker iyo Moby ayaa inta badan si adag uga soo horjeeda isticmaalka habaysan ee weelasha.
Imaatinka Podman
Waxaan ku faraxsanahay inaan soo sheegno in xaaladdu ay ugu dambeyntii hore u dhaqaaqday. Kooxda mas'uulka ka ah socodsiinta weelasha ee Koofiyada Cas ayaa go'aansaday inay horumariyaan . Magac buu helay waxayna bixisaa isla interface line line (CLI) sida Docker. Iyo ku dhawaad ββdhammaan amarrada Docker waxaa loogu isticmaali karaa Podman si la mid ah. Waxaan inta badan qabanaa siminaaro, kuwaas oo hadda loo yaqaan , iyo slide-ka ugu horreeya wuxuu ku baaqayaa qoraal: alias docker=podman.
Dad badan ayaa tan sameeya.
Aniga iyo Podman-kaygu sina kama soo horjeedno weelasha habaysan. Ka dib oo dhan, Systemd waa nidaamka ugu badan ee la isticmaalo Linux init subsystem, oo aan loo oggolaan inuu si sax ah ugu shaqeeyo weelasha waxay la macno tahay in la iska indhatiray sida kumanaan qof ay caadaystaan ββinay ku shaqeeyaan weelasha.
Podman wuu garanayaa waxa la sameeyo si habaysan uu si sax ah ugu shaqeeyo weelka dhexdiisa. Waxay u baahan tahay waxyaabo ay ka mid yihiin ku dhejinta tmpfs on /run iyo /tmp. Waxay jeceshahay in jawiga βcontainerizedβ la siiyo awood waxayna filaysaa inay qorto ogolaanshaha qaybteeda hagaha kooxeedka iyo galka /var/log/journald.
Markaad bilowdo weel kaas oo amarka ugu horreeya uu ku jiro ama nidaamsan yahay, Podman wuxuu si toos ah u habeeyaa tmpfs iyo Cgroups si loo hubiyo in nidaamka uu ku bilowdo dhibaato la'aan. Si aad u joojiso habkan soo saarista otomaatiga ah, adeegso --systemd=ikhtiyaarka beenta ah. Fadlan la soco in Podman uu isticmaalo habka systemd kaliya marka uu arko in uu u baahan yahay in uu maamulo nidaamka nidaamka ama init.
Halkan waxaa ah qayb ka mid ah buug-gacmeedka:
nin podman orod
...βsystemd=run|been
Ku socodsiinta weelka qaab habaysan. U sahlay qaab ahaan
Haddii aad ku socodsiiso nidaamka nidaamka ama amarka gudaha weelka, Podman wuxuu u habeyn doonaa tmpfs mount points tusaha soo socda:
/run, /run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal
Sidoo kale calaamada joogsiga joogtada ahi waxa ay noqon doontaa SIGRTMIN+3.
Waxaas oo dhami waxay u oggolaanayaan systemd in ay ku dhex ordo weel xiran iyada oo aan wax isbeddel ah lagu samayn.
FIIRO GAAR AH: habaysan waxay isku dayeen inay wax u qoraan nidaamka faylka kooxda. Si kastaba ha noqotee, SELinux waxay ka hortagtaa weelasha inay tan si caadi ah u sameeyaan. Si aad awood u siiso qorista, karti u geli weelka_manage_cgroup cabbirka boolean:
setsebool -P container_manage_cgroup run
Hadda u fiirso sida uu u eg yahay Dockerfile ee ku shaqeeya nidaamka weelka iyadoo la adeegsanayo Podman:
# cat Dockerfile
FROM fedora
RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
EXPOSE 80
CMD [ "/sbin/init" ]
Waa intaas.
Hadda waxaan uruurinnaa weelka:
# podman build -t systemd .
Waxaan u sheegaynaa SELinux inay u oggolaato systemd inuu wax ka beddelo qaabeynta kooxaha:
# setsebool -P container_manage_cgroup true
By habka, dad badan ayaa illoobay tallaabadan. Nasiib wanaag, tani waxay u baahan tahay oo kaliya in la sameeyo hal mar oo goobta ayaa la keydiyaa ka dib markii dib loo bilaabo nidaamka.
Hadda waxaan bilownaa weelka:
# podman run -ti -p 80:80 systemd
systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.
Welcome to Fedora 29 (Container Image)!
Set hostname to <1b51b684bc99>.
Failed to install release agent, ignoring: Read-only file system
File /usr/lib/systemd/system/systemd-journald.service:26 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[ OK ] Listening on initctl Compatibility Named Pipe.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Reached target Slices.
β¦
[ OK ] Started The Apache HTTP Server.
Taasi waa sidaas, adeeggu wuu socdaa oo wuu socdaa:
$ curl localhost
<html xml_lang="en" lang="en">
β¦
</html>
FIIRO GAAR AH: Ha isku dayin kan Docker! Halkaa waxaad weli u baahan tahay inaad ku dheesho dambo si aad u soo saarto weelasha noocaan ah iyada oo loo marayo daemon-ka. (Baakado dheeraad ah iyo baakado ayaa loo baahan doonaa si ay tan oo dhan uga wada shaqeeyaan si aan kala go 'lahayn Docker, ama waxay u baahan doontaa in lagu dhex wado weel mudnaanta leh. Faahfaahinta, eeg .)
Waxyaabo badan oo wanaagsan oo ku saabsan Podman iyo systemd
Podman wuxuu u shaqeeyaa si ka fiican Docker faylalka unugga nidaamsan
Haddii weelasha loo baahan yahay in la bilaabo marka nidaamka kabaha, markaa waxaad si fudud u gelin kartaa amarrada Podman ee ku habboon faylka nidaamka nidaamka, kaas oo bilaabi doona adeegga oo la socon doona. Podman waxay isticmaashaa moodeelka caadiga ah ee fargeetada-exec. Si kale haddii loo dhigo, hababka weelku waa carruurta habka Podman, markaa systemd waxay si fudud ula socon kartaa iyaga.
Docker waxay isticmaashaa qaabka macmiilka-server, iyo amarrada Docker CLI sidoo kale si toos ah ayaa loo gelin karaa faylka cutubka. Si kastaba ha noqotee, marka macmiilka Docker uu ku xiro Docker daemon, (macmiilka) wuxuu noqonayaa nidaam kale oo ka baaraandegaya stdin iyo stdout. Dhanka kale, systemd wax fikrad ah kama haysto xidhiidhka ka dhexeeya macmiilka Docker iyo weelka ku hoos shaqeeya kontoroolka Docker daemon, sidaa darteed, qaabkan dhexdiisa, nidaamku asal ahaan ma kormeeri karo adeegga.
Ku shaqaynta hab-socket-ka
Podman waxa uu si sax ah u maamulaa hawlgelinta iyada oo loo marayo godad. Sababtoo ah Podman waxay isticmaashaa qaabka fargeetada-exec, waxay u gudbin kartaa godka hababka weelka ilmaha. Docker ma samayn karo tan sababtoo ah waxay isticmaashaa qaabka macmiilka-server.
Adeegga varlink ee Podman uu isticmaalo si uu ula xidhiidho macaamiisha fog-fog ee weelasha waxa dhab ahaantii lagu hawlgeliyaa iyada oo loo marayo godad. Xirmada-cockpit-podman, oo ku qoran Node.js iyo qayb ka mid ah mashruuca cockpit, waxay u oggolaanaysaa dadka inay la falgalaan weelasha Podman iyada oo loo marayo interface interneedka. Daemon-ka webka ee ordaya cockpit-podman wuxuu u soo diraa fariimo varlink socket kaas oo systemd uu dhageysto. Systemd ka dib waxa ay hawl galisaa barnaamijka Podman si uu u helo fariimaha oo uu u bilaabo maaraynta weelasha. Ku shaqaynta nidaamka ku rakiban godka ayaa meesha ka saaraysa baahida loo qabo daemon joogto ah marka la fulinayo APIs fog.
Intaa waxaa dheer, waxaan soo saareynaa macmiil kale oo Podman ah oo loo yaqaan podman-remote, kaas oo hirgeliya isla Podman CLI laakiin ugu yeera varlink inuu socodsiiyo weelasha. Podman-remote-ku wuxuu ku ordi karaa dushiisa fadhiyada SSH, taasoo kuu ogolaanaysa inaad si ammaan ah ula falgasho weelasha mashiinada kala duwan. Waqti ka dib, waxaan qorsheyneynaa inaan awoodno podman-remote si ay u taageeraan MacOS iyo Windows oo ay weheliyaan Linux, si ay horumariyeyaasha goobahaas u maamulaan mashiinka farsamada ee Linux oo leh Podman varlink oo shaqeynaya oo khibrad buuxda u leh in weelku ku socdo mashiinka maxaliga ah.
SD_Ogaysiis
Systemd waxa ay ku ogolanaysaa in aad dib u dhigto bilawga adeegyada caawimada ilaa inta uu ka bilaabmayo adeega weelka ay u baahan yihiin. Podman wuxuu u gudbin karaa SD_NOTIFY godka adeega weelka lagu shubay si adeeggu u ogeysiiyo nidaamka in uu diyaar u yahay inuu shaqeeyo. Mar labaad, Docker, oo adeegsata moodel-server-ka macmiilka, ma samayn karo tan.
Qorshayaasha
Waxaan qorsheyneynaa inaan ku darno taliska podman soo saaro nidaamka CONTAINERID, kaas oo soo saari doona fayl unug habaysan si loo maareeyo weel gaar ah oo cayiman. Tani waa inay ku shaqeysaa labada nooc ee xididka iyo kuwa aan xididka lahayn ee weelasha aan mudnaanta lahayn. Waxaan xitaa aragnay codsi ku saabsan OCI-ku habboon nidaamkad-nspawn runtime.
gunaanad
Ku socodsiinta habka weelka dhexdiisa waa baahi la fahmi karo. Waad ku mahadsan tahay Podman, waxaan ugu dambeyntii haysanaa weel runtime ah oo aan ka hor imanayn nidaamka, laakiin fududeynaya isticmaalka.
Source: www.habr.com