Using Podman with Quarkus
Podman 是一个用于在 Linux、Windows 和 Mac 上开发、管理和运行 OCI 容器的开源、无守护程序和无 root 容器引擎。它可用于支持 Quarkus 上的容器功能和开发服务。
Podman is an open-source, daemonless, and rootless container engine for developing, managing, and running OCI Containers on Linux, Windows and Mac. It can be used to support the container functionality and Dev Services on Quarkus.
Installing Podman
Podman 的安装方法因所使用的操作系统而异,所需步骤也会随着 Podman 的版本而随着时间推移而改变。对于 Mac 和 Windows,我们强烈建议通过 Podman Desktop 图形应用程序进行安装。它是步骤最少的最简单选项,它增加了诸如自动启动之类的附加功能,并有助于管理未来的更新。还提供了可能使用的一个仅限 CLI 的选项。但是,此设置需要附加的手动任务来管理、更新和启动 Podman Machine 环境。
Podman’s install approach varies depending on the operating system you are using, and the required steps also change over time depending on the version of Podman. For Mac and Windows we highly recommend installing through the Podman Desktop graphical application. It is the simplest option with the least number of steps, it adds additional functionality like automatic start, and it helps manage future updates. There is also a CLI-only option that may be used. However, this setup requires additional manual tasks to manage, update, and launch the Podman Machine environment.
Mac 上的 Homebrew 包管理器 (brew) should not be used to install Podman,因为它会导致未经验证的组件组合。这是由于 Homebrew 在项目之间共享依赖项,以及对升级请求的审查有限。例如,在 Apple Silicon 上更新 qemu 时有几次中断了,从而阻止 Podman 机器 VM 启动。
The Homebrew package manager on Mac (brew) should not be used to install Podman as it results in an unverified combination of components. This is due to Homebrew sharing dependencies between projects, along with limited vetting of upgrade requests. As an example, there were several instances where an update to qemu broke on Apple Silicon, preventing Podman machine VMs from booting.
在 Linux 上,Podman 集成在操作系统中,并通过系统的打包程序管理器安装。与 Mac 和 Windows 一样,Podman Desktop 也可以安装来补充 Podman CLI。但是,在 Linux 上,Podman Desktop 作为本地 Podman 集成的客户端使用,并且不管理底层 Podman 安装。
On Linux, Podman is integrated as part of the operating system, and installed through the system’s packager manager. As with Mac, and Windows, Podman Desktop can also be installed to supplement the Podman CLI. However, on Linux, Podman Desktop acts as a client to the native Podman integration, and does not manage the underlying Podman installation.
有关最新版本的 Podman Desktop,请参阅 [role="bare"][role="bare"]https://podman-desktop.io/downloads/。
See [role="bare"]https://podman-desktop.io/downloads/ for the latest version of Podman Desktop.
此外,如果你使用的是 Linux,请参阅 Podman Linux installation documentation了解在你特定的 Linux 发行版中安装 Podman 的说明。
Additionally, if you are using Linux, see the Podman Linux installation documentation for instructions installing Podman to your specific Linux distribution.
Docker compatibility mode
在 Mac 或 Windows 上安装 Podman Desktop 时,在出现提示时开启 Docker 兼容模式非常重要。这将确保 podman-mac-helper 在你不知情的情况下自动完成设置(你通常在启动后会收到这方面的提示),它对于支持 /var/run/docker.sock(权限较高的位置)至关重要。它还将安装对 Docker Compose 的支持。
When installing Podman Desktop on Mac or Windows, it’s important to enable Docker compatibility mode when prompted. This will ensure the podman-mac-helper is setup on your behalf (normally a manual action you are prompted to do after start), necessary for supporting /var/run/docker.sock (privileged location). It will also install support for Docker Compose.
Platform differences
尽管在 Mac、Windows 和 Linux 之间交互容器在很大程度上是相同的,但需要了解一些重要的环境差异。尤其是,由于“容器均为 Linux”,因此执行容器的方式不同。更具体地说,容器包含依赖于 Linux 内核 syscall 接口的 Linux 用户区二进制文件。因此,Linux 容器无法在 macOS 或 Windows 上原生运行;相反,它们需要使用运行 Linux 的虚拟机 (VM) 来承载它们。对于需要它的系统,Podman 包括一个用于管理此 VM 的子系统,称为 Podman Machine。Podman Desktop 对此 VM 执行引导式交互设置,并会自动为你启动该 VM。
While interacting with containers is mostly identical between Mac, Windows, and Linux, there are important environmental differences to be aware of. Notably, the way in which containers are executed is different, since "Containers are Linux". More specifically, containers contain Linux userland binaries with a dependency on the Linux kernel syscall interface. As such, Linux containers cannot run natively on macOS or Windows; they instead require the use of a virtual machine (VM), running Linux, to host them. For systems that require it, Podman includes a subsystem called Podman Machine that is used to manage this VM. Podman Desktop performs a guided interactive setup of this VM, and will automatically launch it on your behalf.
Rootful vs Rootless
Podman 支持两种操作模式:root 模式(在这种模式下,容器在 Linux 主机上(或者在 Mac/Windows 的情况下在 VM 中)作为 root 运行),以及 rootless 模式(在这种模式下,容器在标准 Unix 用户帐户下运行)。后者提供更强的安全性,但一些容器无法在更高限制下运行。例如,如果容器创建新设备、回环挂载点并执行其他高度受限的操作,那么它们就必须作为 root 运行。请注意,不要将此与容器中指定的 USER 值混淆,该值指的是容器内的进程如何感知自身。在 rootless 中,具有 USER 为“root”的用户在容器中运行的进程会相互显示为 root,但由于 pid 命名空间,它们实际上是在主机系统上以标准受限用户帐户的身份运行。
Podman supports two modes of operation: rootful, in which case the container runs as root on the Linux host (or VM in the case of Mac/Windows), and rootless, where the container runs under a standard Unix user account. The latter offers significantly stronger security, but some containers are not capable of running under the increased restrictions. As an example, if a container creates new devices, loopback mount points, and performs other highly restricted operations, then they must be run as root. Note, that this is not to be confused with the USER value specified in Containerfile/Dockerfile, which refers to how processes inside the container perceive themselves. In rootless, processes running in a container with a USER of "root" will appear to each other as root, but due to pid namespacing, they will actually be running as a standard restricted user account on the host system.
Configuring on Win & Mac
在涉及 Podman Machine 管理的 VM(Mac 和 Windows)的系统上,容器客户端和 Podman 命令会远程与运行该 VM 的 rootless 或 rootful 系统服务通信。使用哪种服务取决于 Podman 机器中的 `rootful`设置。为了最大限度地确保兼容性,Podman Desktop 默认将新机器实例的 rootful 功能开启。由于 VM 本身在用户进程下运行,因此这对安全性影响有限。也可以通过 Podman 命令来更改此设置:
On systems which involve a Podman Machine managed VM (Mac & Windows), container clients and Podman commands communicate remotely to either a rootful or rootless system service running the VM. Which is used is determined by the rootful setting of the Podman machine. For maximal compatibility, Podman Desktop defaults to enabling rootful for new machine instances. There is limited security impact to this since the VM itself is running under a user process. This can also be changed via the podman commands:
podman machine set --rootful=true # or false
podman machine stop
podman machine startConfiguring on Linux
在 Linux 系统上,建议使用用户 systemd 服务以 rootless 配置配置客户端访问权限。
On Linux systems, it’s recommended to configure client access in a rootless configuration using a user systemd service.
可以使用以下命令启用此功能:
This can be enabled using the following command:
systemctl --user enable podman.socket --nowSetting DOCKER_HOST on Linux
在 Linux 上完成上述 rootless 设置后,你需要通过设置 `DOCKER_HOST`环境变量来指向用户服务 podman 套接字,来配置客户端,例如 Quarkus 和 testcontainers。该路径可以设置使用 podman 命令查询该路径的表达式的值:
With the above rootless setup on Linux, you will need to configure clients, such as Quarkus and testcontainers by setting the DOCKER_HOST environment variable to point to the user service podman socket. The path be set using an expression which queries the path using the podman command:
export DOCKER_HOST=unix://$(podman info --format '{{.Host.RemoteSocket.Path}}')Other Linux settings
Short names of images
Testcontainers 和 Quarkus Dev Services 还希望其发出请求的容器服务是非交互式的。如果你在 Docker 或 Podman 配置中配置了多个注册表,并且使用较短的图像名称,那么 Podman 会通过提示询问应使用哪个注册表来拉取图像。
Testcontainers and Quarkus Dev Services also expect the container service they make requests against to be non-interactive. In case you have multiple registries configured in your Docker or Podman configuration, and when using short image names, Podman responds with a prompt asking which registry should be used to pull images.
尽管我们建议你避免使用较短的名称,并始终使用包括注册表在内的完整指定名称,但 Testcontainers 在目前不幸依靠内部较短的名称。如果你直接或通过 Dev Services 使用 Testcontainers,则需要通过在 `/etc/containers/registries.conf`中设置 Podman 的 `short-name-mode="disabled"`配置属性来禁用此提示。
While we recommend you to avoid short names and always use fully specified names including the registry, Testcontainers unfortunately relies on short names internally for the time being.
If you are using Testcontainers, either directly or through Dev Services, you need to disable this prompt by setting the short-name-mode="disabled" configuration property of Podman in /etc/containers/registries.conf.