23

我想将podman作为容器运行以运行 CI/CD 管道。但是,我不断从 podman 容器中收到此错误:

$ podman info
ERRO[0000] 'overlay' is not supported over overlayfs
Error: could not get runtime: 'overlay' is not supported over overlayfs: backing file system is unsupported for this graph driver

我正在使用Jenkins Kubernetes 插件编写 CI/CD 管道,这些管道在 Kubernetes 集群中作为容器运行。我已经成功地编写了使用 Docker-in-Docker 容器运行docker builddocker push命令的管道。

但是,在容器中运行 Docker 客户端和 Docker 守护进程会使 CI/CD 环境非常臃肿、难以配置,而且不适合使用。所以我想我可以使用podman从 Dockerfiles 构建 Docker 映像,而无需使用胖 Docker 守护进程。

问题是podman太新了,我以前没有见过任何人尝试过这个,我也没有足够的 podman 专家来正确执行这个。

因此,使用Ubuntu 的 podman 安装说明,我创建了以下 Dockerfile:

FROM ubuntu:16.04

RUN apt-get update -qq \
    && apt-get install -qq -y software-properties-common uidmap \
    && add-apt-repository -y ppa:projectatomic/ppa \
    && apt-get update -qq \
    && apt-get -qq -y install podman

# To keep it running
CMD tail -f /dev/null

所以我构建了图像并按如下方式运行它:

# Build
docker build -t podman:ubuntu-16.04 .

# Run
docker run --name podman -d podman:ubuntu-16.04

然后在正在运行的容器上运行此命令时,出现错误:

$ docker exec -ti podman bash -c "podman info"

ERRO[0000] 'overlay' is not supported over overlayfs
Error: could not get runtime: 'overlay' is not supported over overlayfs: backing file system is unsupported for this graph driver

我在我拥有的 Ubuntu 16.04 机器上安装了 podman 并运行了相同的podman info命令,我得到了预期的结果:

host:
  BuildahVersion: 1.8-dev
  Conmon:
    package: 'conmon: /usr/libexec/crio/conmon'
    path: /usr/libexec/crio/conmon
    version: 'conmon version , commit: '
  Distribution:
    distribution: ubuntu
    version: "16.04"
  MemFree: 2275770368
  MemTotal: 4142137344
  OCIRuntime:
    package: 'cri-o-runc: /usr/lib/cri-o-runc/sbin/runc'
    path: /usr/lib/cri-o-runc/sbin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 2146758656
  SwapTotal: 2146758656
  arch: amd64
  cpus: 2
  hostname: jumpbox-4b3620b3
  kernel: 4.4.0-141-generic
  os: linux
  rootless: false
  uptime: 222h 46m 33.48s (Approximately 9.25 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 15
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

有谁知道我如何解决这个错误并让 podman 从容器中工作?

4

3 回答 3

12

你的 Dockerfile 也应该安装 iptables:

FROM ubuntu:16.04

RUN apt-get update -qq \
    && apt-get install -qq -y software-properties-common uidmap \
    && add-apt-repository -y ppa:projectatomic/ppa \
    && apt-get update -qq \
    && apt-get -qq -y install podman \
    && apt-get install -y iptables

# To keep it running
CMD tail -f /dev/null

然后使用以下命令运行命令:

docker run -ti --rm podman:test bash -c "podman --storage-driver=vfs info"

这应该会给您预期的响应。

于 2019-05-08T04:15:55.463 回答
2

mihai 的建议成功了,info但是例如,一旦我尝试,run --rm docker.io/library/hello-world我就会收到错误消息:

error creating network namespace for container …: mount --make-rshared /var/run/netns failed: "operation not permitted"
failed to mount shm tmpfs "/var/lib/containers/storage/vfs-containers/…/userdata/shm": operation not permitted

我只能通过为映像设置一个非 root 用户然后在特权模式下运行容器来解决这个问题,这违背了练习的目的,因为 DinD 已经可以这样做:

FROM ubuntu:18.04

RUN apt-get update -qq \
    && apt-get install -qq -y software-properties-common uidmap \
    && add-apt-repository -y ppa:projectatomic/ppa \
    && apt-get update -qq \
    && apt-get -qq -y install podman \
    && apt-get install -y iptables

RUN adduser --disabled-login --gecos test test

USER test

ENTRYPOINT ["podman", "--storage-driver=vfs"]
CMD ["info"]

用作

docker build -t podman:test .
docker run --rm --privileged podman:test run --rm docker.io/library/hello-world
于 2019-07-02T16:09:21.540 回答
2

我自己尝试了一个更宽松的配置(--privileged=true),从主机安装存储卷,并iptables安装在容器中并且能够运行它(即sudo apt-get install iptables)。

$ podman run -it --rm -v /var/run/containers/storage:/var/run/containers/storage -v /var/lib/containers/storage:/var/lib/containers/storage --storage-driver=overlay --privileged=true  mine bash
root@e275668d7c36:/# apt-get install -y -qq iptables
...
root@e275668d7c36:/# podman info
host:
  BuildahVersion: 1.8-dev
  Conmon:
    package: 'conmon: /usr/libexec/crio/conmon'
    path: /usr/libexec/crio/conmon
    version: 'conmon version , commit: '
  Distribution:
    distribution: ubuntu
    version: "16.04"
  MemFree: 71659520
  MemTotal: 482099200
  OCIRuntime:
    package: 'cri-o-runc: /usr/lib/cri-o-runc/sbin/runc'
    path: /usr/lib/cri-o-runc/sbin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 2
  hostname: e275668d7c36
  kernel: 4.15.0-1035-aws
  os: linux
  rootless: false
  uptime: 315h 17m 53s (Approximately 13.12 days)
insecure registries:
  registries: []
registries:
  registries: []
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 2
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 4
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

如果您想使用docker,也可以使用该--privileged标志。

请记住,还有其他专门用于构建容器的工具,其中一些工具没有特权模式:

于 2019-05-08T04:23:46.050 回答