티스토리 뷰

728x90
반응형

서론

Docker는 Container를 기동하는 표준으로써 오랜기간 자리잡아 왔다. 특히 Kubernetes가 Docker를 Runtime Container로 활용하면서 그 위상은 점점 커져왔다. 그 위상은 지속될 것이라 생각해 왔고, 여전히 최선의 방법이자, 최고의 방법이지만, 최근 Docker의 CE 버전 중단 선언, 무거운 기능, SPOF 등의 문제들이 계속 대두되며, 다양한 Runtime Container 들이 대안으로써 떠오르고 있다. 특히 Kubernetes에서 정식으로 Docker 이외에 RKT, Containerd 그리고 오늘 알아볼 CRI-O 등을 Runtime Container로 채택하며, Docker의 자리를 위협하고 있다.

 

 


Docker 단점

1) High & Low Level Runtime Container

Docker Runtime Container는 High Level & Row Level Runtime Container를 포함하는 완전한 형태를 갖고 있다. 이는 장점이라고도 볼 수 있지만, High Level Container 역할을 하는 Docker daemon(Docker Server)와 Row Level Container 역할을 하는 Docker CLI(Client) 간의 통신으로 구성되어 있어 둘 중 하나의 기능만을 원한 경우 또는 Client의 특정 기능(컨테이너 기동, 도커 이미지 빌드, 이미지 pull & push 등)만을 사용하고자 할 경우에도 전체를 구성하여 활용해야 한다는 단점이 존재한다.

2) SPOF

Docker daemon(Docker Server)은 Daemon 하위에 여러 Container를 기동하고 관리한다. 특히 Kubernetes의 Master / Worker 노드에 구성된 Docker Daemon에 장애가 발생할 경우 Kubernetes 전체로 장애가 전파 될 수 있다. 이는 Single Point Of Failure를 대표하는 장애 포인트가 될 수 있다.

3) Audit

Linux Kernel에는 Audit이라는 기능이 존재한다. 이를 통해 관리자는 시스템의 보안 이벤트를 감시하고 외부로부터의 침입을 감시하는 역할을 수행한다. 이는 로그인 UID 추적 기능을 통해 감시할 수 있다.

/proc/self/loginuid에 저장되는 loginuid 필드는 시스템의 모든 프로세스에 대한 proc 구조체의 일부이다. 이 필드는 한 번만 설정할 수 있다. 설정된 후에는 커널이 프로세스를 재설정하는 것을 허용하지 않는다. 개인의 uid는 다음과 같이 확인할 수 있다.

[ec2-user@ip-192-168-114-198 ~]$ id
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal)
[ec2-user@ip-192-168-114-198 ~]$ cat /proc/self/loginuid
1000
[ec2-user@ip-192-168-114-198 ~]$ sudo su - 
Last login: Tue Dec 29 14:21:36 UTC 2020 on pts/0
[root@ip-192-168-114-198 ~]# cat /proc/self/loginuid
1000
[root@ip-192-168-114-198 ~]# su - nrson
Last login: Tue Dec 29 14:21:48 UTC 2020 on pts/0
[nrson@ip-192-168-114-198 ~]$ cat /proc/self/loginuid
1000
[nrson@ip-192-168-114-198 ~]$

위와 같이 ec2-user로 로그인을 하게 되면, uid(1000)가 발급되고, 발급된 uid는 계정이 변경되어도 그대로 유지된다. (ec2-user > root > nrson) 이는 초기 로그인 프로세스에서 분기되고 실행되는 모든 프로세스는 자동으로 loginuid를 상속하여, 커널이 로그인 한 사람이 ec2-user라는 것을 알게 하는 감시 방법이다.

이제 확인하고자 하는 내용은 이 audit을 방해하는 docker에 대한 내용에 대해 알아보고자 한다.

[root@ip-192-168-114-198 cri-o]# sudo docker run fedora cat /proc/self/loginuid
4294967295
[root@ip-192-168-114-198 cri-o]# sudo podman run fedora cat /proc/self/loginuid
1000
[root@ip-192-168-114-198 cri-o]#

위는 docker와 podman으로 각각 기동 후 loginuid를 확인하는 과정이다.

Docker는 클라이언트/서버 모델을 사용한다. 내가 실행한 docker 명령은 Docker 클라이언트 도구이며 클라이언트/서버 작업을 통해 Docker 데몬과 통신한다. 그런 다음 Docker 데몬은 컨테이너를 만들고 Docker 클라이언트 도구에 대한 stdin / stdout 통신을 다시 처리한다. Podman은 컨테이너에 대해 전통적인 fork / exec 모델을 사용하므로 컨테이너 프로세스는 Podman 프로세스의 Child이다.

프로세스의 기본 loginuid (loginuid가 설정되기 전)는 4294967295이다. 컨테이너는 Docker daemon의 child이고 Docker daemon은 init 시스템의 child이므로 systemd, Docker daemon 및 컨테이너가 모두 동일한 loginuid로 처리하는 것을 볼 수 있다. 이는 감사 대상에서 제외됨을 알 수 있다. 이는 Docker Container를 관리하는 주체가 누구인지? Docker를 다운하거나, 악의적으로 Container를 조작하는 등의 일이 발생해도 audit.log를 통해 확인할 수 있는 방법이 없다는 것을 의미한다. Podman의 경우 전통적인 fork / exec 모델을 사용하여 audit.log가 정상적으로 기록된다.

위와 같은 문제가 발생하고 있음에도 불구하고, 여전히 Docker를 사용하는 것은 편의성과 익숙함에 있다고 볼 수 있다. 오랜 시간 Docker에 익숙해져 왔기 때문에 한번에 CRI-O로 전환하는 것은 문제가 있다. 또한 아직은 CRI-O가 성숙도가 떨어진다는 이유도 들 수 있다. 많은 부분에서 불편함을 아직은 느낄 수 있고, DaemonLess를 장점으로 이야기하고 있지만, 여전히 구성이 어렵다는 문제 등이 있다.

하지만, Docker 진영의 유료화 선언은 오픈소스 진영에서 언젠가 찾아올 시점에 대비해야 할 것이다. 벌써 몇년 전이긴하지만, JDK의 유료화 선언에 맞먹는 시기가 오지 않을까 싶다.

지금부터는 Docker 유료화 대비하여 최근 많이 떠오르고 있는 Runtime Container인 CRI-O, Podman, Buildah, Skopeo에 대한 활용 방안에 대해 알아보도록 하자.


Podman : 컨테이너 실행

podman은 컨테이너 및 컨테이너 이미지를 실행하고 관리 할 수 있다. docker와 동일한 기능과 명령 옵션의 대부분을 지원하지만 차이점은 podman은 docker 또는 다른 활성 컨테이너 런타임이 필요하지 않다는 것이다.

1. podman install

[root@ip-192-168-114-198 ~]# sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/devel:kubic:libcontainers:stable.repo
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   359  100   359    0     0    237      0  0:00:01  0:00:01 --:--:--   237
[root@ip-192-168-114-198 ~]# sudo yum -y install yum-plugin-copr
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
devel_kubic_libcontainers_stable                                                                                                                                         | 1.3 kB  00:00:00
devel_kubic_libcontainers_stable/primary                                                                                                                                 |  12 kB  00:00:01
devel_kubic_libcontainers_stable                                                                                                                                                          36/36
1 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-copr.noarch 0:1.1.31-46.amzn2.0.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================
 Package                                         Arch                                   Version                                                Repository                                  Size
================================================================================================================================================================================================
Installing:
 yum-plugin-copr                                 noarch                                 1.1.31-46.amzn2.0.1                                    amzn2-core                                  32 k

Transaction Summary
================================================================================================================================================================================================
Install  1 Package

Total download size: 32 k
Installed size: 40 k
Downloading packages:
yum-plugin-copr-1.1.31-46.amzn2.0.1.noarch.rpm                                                                                                                           |  32 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : yum-plugin-copr-1.1.31-46.amzn2.0.1.noarch                                                                                                                                   1/1
  Verifying  : yum-plugin-copr-1.1.31-46.amzn2.0.1.noarch                                                                                                                                   1/1

Installed:
  yum-plugin-copr.noarch 0:1.1.31-46.amzn2.0.1

Complete!
[root@ip-192-168-114-198 ~]# sudo yum -y copr enable lsm5/container-selinux
Loaded plugins: copr, extras_suggestions, langpacks, priorities, update-motd
copr done
[root@ip-192-168-114-198 ~]# sudo yum -y install podman
Loaded plugins: copr, extras_suggestions, langpacks, priorities, update-motd
copr:copr.fedorainfracloud.org:lsm5:container-selinux                                                                                                                    | 3.3 kB  00:00:00
copr:copr.fedorainfracloud.org:lsm5:container-selinux/x86_64/primary_db                                                                                                  | 2.5 kB  00:00:00
1 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package podman.x86_64 0:2.2.1-1.el7 will be installed
--> Processing Dependency: podman-plugins = 2.2.1-1.el7 for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: slirp4netns >= 0.3.0-2 for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: containers-common >= 2:1.2.0-9 for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: containernetworking-plugins >= 0.8.6-1 for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: conmon >= 2:2.0.18-1 for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: nftables for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: container-selinux for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: catatonit for package: podman-2.2.1-1.el7.x86_64
--> Running transaction check
---> Package catatonit.x86_64 0:0.1.5-1.el7 will be installed
---> Package conmon.x86_64 2:2.0.21-1.el7 will be installed
---> Package container-selinux.noarch 2:2.107-3.el7 will be installed
--> Processing Dependency: policycoreutils-python for package: 2:container-selinux-2.107-3.el7.noarch
---> Package containernetworking-plugins.x86_64 0:0.9.0-1.el7 will be installed
---> Package containers-common.x86_64 2:1.2.0-15.el7 will be installed
---> Package nftables.x86_64 1:0.9.0-14.amzn2.0.1 will be installed
--> Processing Dependency: libnftnl.so.11(LIBNFTNL_11)(64bit) for package: 1:nftables-0.9.0-14.amzn2.0.1.x86_64
--> Processing Dependency: libnftnl.so.11()(64bit) for package: 1:nftables-0.9.0-14.amzn2.0.1.x86_64
---> Package podman-plugins.x86_64 0:2.2.1-1.el7 will be installed
--> Processing Dependency: dnsmasq for package: podman-plugins-2.2.1-1.el7.x86_64
---> Package slirp4netns.x86_64 0:1.1.8-1.el7 will be installed
--> Processing Dependency: libslirp.so.0(SLIRP_4.1)(64bit) for package: slirp4netns-1.1.8-1.el7.x86_64
--> Processing Dependency: libslirp.so.0(SLIRP_4.0)(64bit) for package: slirp4netns-1.1.8-1.el7.x86_64
--> Processing Dependency: libslirp.so.0()(64bit) for package: slirp4netns-1.1.8-1.el7.x86_64
--> Running transaction check
---> Package dnsmasq.x86_64 0:2.76-16.amzn2.0.1 will be installed
---> Package libnftnl.x86_64 0:1.1.5-4.amzn2 will be installed
---> Package libslirp.x86_64 0:4.3.1-2.el7 will be installed
---> Package policycoreutils-python.x86_64 0:2.5-22.amzn2 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-2 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libselinux-python for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Running transaction check
---> Package audit-libs-python.x86_64 0:2.8.1-3.amzn2.1 will be installed
---> Package checkpolicy.x86_64 0:2.5-6.amzn2 will be installed
---> Package libselinux-python.x86_64 0:2.5-12.amzn2.0.2 will be installed
---> Package libsemanage-python.x86_64 0:2.5-11.amzn2 will be installed
---> Package python-IPy.noarch 0:0.75-6.amzn2.0.1 will be installed
---> Package setools-libs.x86_64 0:3.3.8-2.amzn2.0.2 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================
 Package                                       Arch                     Version                                   Repository                                                               Size
================================================================================================================================================================================================
Installing:
 podman                                        x86_64                   2.2.1-1.el7                               devel_kubic_libcontainers_stable                                         21 M
Installing for dependencies:
 audit-libs-python                             x86_64                   2.8.1-3.amzn2.1                           amzn2-core                                                               79 k
 catatonit                                     x86_64                   0.1.5-1.el7                               devel_kubic_libcontainers_stable                                        326 k
 checkpolicy                                   x86_64                   2.5-6.amzn2                               amzn2-core                                                              294 k
 conmon                                        x86_64                   2:2.0.21-1.el7                            devel_kubic_libcontainers_stable                                         37 k
 container-selinux                             noarch                   2:2.107-3.el7                             copr:copr.fedorainfracloud.org:lsm5:container-selinux                    39 k
 containernetworking-plugins                   x86_64                   0.9.0-1.el7                               devel_kubic_libcontainers_stable                                         38 M
 containers-common                             x86_64                   2:1.2.0-15.el7                            devel_kubic_libcontainers_stable                                         87 k
 dnsmasq                                       x86_64                   2.76-16.amzn2.0.1                         amzn2-core                                                              278 k
 libnftnl                                      x86_64                   1.1.5-4.amzn2                             amzn2-core                                                               75 k
 libselinux-python                             x86_64                   2.5-12.amzn2.0.2                          amzn2-core                                                              237 k
 libsemanage-python                            x86_64                   2.5-11.amzn2                              amzn2-core                                                              115 k
 libslirp                                      x86_64                   4.3.1-2.el7                               devel_kubic_libcontainers_stable                                         60 k
 nftables                                      x86_64                   1:0.9.0-14.amzn2.0.1                      amzn2-core                                                              252 k
 podman-plugins                                x86_64                   2.2.1-1.el7                               devel_kubic_libcontainers_stable                                        2.4 M
 policycoreutils-python                        x86_64                   2.5-22.amzn2                              amzn2-core                                                              454 k
 python-IPy                                    noarch                   0.75-6.amzn2.0.1                          amzn2-core                                                               32 k
 setools-libs                                  x86_64                   3.3.8-2.amzn2.0.2                         amzn2-core                                                              618 k
 slirp4netns                                   x86_64                   1.1.8-1.el7                               devel_kubic_libcontainers_stable                                         47 k

Transaction Summary
================================================================================================================================================================================================
Install  1 Package (+18 Dependent packages)

Total download size: 64 M
Installed size: 159 M
Downloading packages:
(1/19): audit-libs-python-2.8.1-3.amzn2.1.x86_64.rpm                                                                                                                     |  79 kB  00:00:00
(2/19): checkpolicy-2.5-6.amzn2.x86_64.rpm                                                                                                                               | 294 kB  00:00:00
warning: /var/cache/yum/x86_64/2/copr:copr.fedorainfracloud.org:lsm5:container-selinux/packages/container-selinux-2.107-3.el7.noarch.rpm: Header V3 RSA/SHA1 Signature, key ID 2e35d101: NOKEYA
Public key for container-selinux-2.107-3.el7.noarch.rpm is not installed
(3/19): container-selinux-2.107-3.el7.noarch.rpm                                                                                                                         |  39 kB  00:00:00
warning: /var/cache/yum/x86_64/2/devel_kubic_libcontainers_stable/packages/conmon-2.0.21-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 75060aa4: NOKEY59 kB/s | 435 kB  00:04:12 ETA
Public key for conmon-2.0.21-1.el7.x86_64.rpm is not installed
(4/19): conmon-2.0.21-1.el7.x86_64.rpm                                                                                                                                   |  37 kB  00:00:02
(5/19): catatonit-0.1.5-1.el7.x86_64.rpm                                                                                                                                 | 326 kB  00:00:03
(6/19): dnsmasq-2.76-16.amzn2.0.1.x86_64.rpm                                                                                                                             | 278 kB  00:00:00
(7/19): libselinux-python-2.5-12.amzn2.0.2.x86_64.rpm                                                                                                                    | 237 kB  00:00:00
(8/19): libnftnl-1.1.5-4.amzn2.x86_64.rpm                                                                                                                                |  75 kB  00:00:00
(9/19): libsemanage-python-2.5-11.amzn2.x86_64.rpm                                                                                                                       | 115 kB  00:00:00
(10/19): containers-common-1.2.0-15.el7.x86_64.rpm                                                                                                                       |  87 kB  00:00:00
(11/19): nftables-0.9.0-14.amzn2.0.1.x86_64.rpm                                                                                                                          | 252 kB  00:00:00
(12/19): libslirp-4.3.1-2.el7.x86_64.rpm                                                                                                                                 |  60 kB  00:00:00
(13/19): podman-2.2.1-1.el7.x86_64.rpm                                                                                                                                   |  21 MB  00:00:04
(14/19): policycoreutils-python-2.5-22.amzn2.x86_64.rpm                                                                                                                  | 454 kB  00:00:00
(15/19): python-IPy-0.75-6.amzn2.0.1.noarch.rpm                                                                                                                          |  32 kB  00:00:00
(16/19): setools-libs-3.3.8-2.amzn2.0.2.x86_64.rpm                                                                                                                       | 618 kB  00:00:00
(17/19): podman-plugins-2.2.1-1.el7.x86_64.rpm                                                                                                                           | 2.4 MB  00:00:01
(18/19): slirp4netns-1.1.8-1.el7.x86_64.rpm                                                                                                                              |  47 kB  00:00:00
(19/19): containernetworking-plugins-0.9.0-1.el7.x86_64.rpm                                                                                                              |  38 MB  00:00:10
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                           4.9 MB/s |  64 MB  00:00:13
Retrieving key from https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/repodata/repomd.xml.key
Importing GPG key 0x75060AA4:
 Userid     : "devel:kubic OBS Project <devel:kubic@build.opensuse.org>"
 Fingerprint: 2472 d6d0 d2f6 6af8 7aba 8da3 4d64 3903 7506 0aa4
 From       : https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/repodata/repomd.xml.key
Retrieving key from https://download.copr.fedorainfracloud.org/results/lsm5/container-selinux/pubkey.gpg
Importing GPG key 0x2E35D101:
 Userid     : "lsm5_container-selinux (None) <lsm5#container-selinux@copr.fedorahosted.org>"
 Fingerprint: 2df0 be4e 8ae0 f74c 44fb 55e5 2f94 c97f 2e35 d101
 From       : https://download.copr.fedorainfracloud.org/results/lsm5/container-selinux/pubkey.gpg
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : checkpolicy-2.5-6.amzn2.x86_64                                                                                                                                              1/19
  Installing : audit-libs-python-2.8.1-3.amzn2.1.x86_64                                                                                                                                    2/19
  Installing : python-IPy-0.75-6.amzn2.0.1.noarch                                                                                                                                          3/19
  Installing : containernetworking-plugins-0.9.0-1.el7.x86_64                                                                                                                              4/19
  Installing : libslirp-4.3.1-2.el7.x86_64                                                                                                                                                 5/19
  Installing : slirp4netns-1.1.8-1.el7.x86_64                                                                                                                                              6/19
  Installing : catatonit-0.1.5-1.el7.x86_64                                                                                                                                                7/19
  Installing : 2:conmon-2.0.21-1.el7.x86_64                                                                                                                                                8/19
  Installing : setools-libs-3.3.8-2.amzn2.0.2.x86_64                                                                                                                                       9/19
  Installing : libselinux-python-2.5-12.amzn2.0.2.x86_64                                                                                                                                  10/19
  Installing : libsemanage-python-2.5-11.amzn2.x86_64                                                                                                                                     11/19
  Installing : policycoreutils-python-2.5-22.amzn2.x86_64                                                                                                                                 12/19
  Installing : 2:container-selinux-2.107-3.el7.noarch                                                                                                                                     13/19
setsebool:  SELinux is disabled.
Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/200/container/cil:1121
/usr/sbin/semodule:  Failed!
Error loading SELinux module.
/var/tmp/rpm-tmp.Q1oxhe: line 12: return: can only `return' from a function or sourced script
  Installing : dnsmasq-2.76-16.amzn2.0.1.x86_64                                                                                                                                           14/19
  Installing : 2:containers-common-1.2.0-15.el7.x86_64                                                                                                                                    15/19
  Installing : libnftnl-1.1.5-4.amzn2.x86_64                                                                                                                                              16/19
  Installing : 1:nftables-0.9.0-14.amzn2.0.1.x86_64                                                                                                                                       17/19
  Installing : podman-plugins-2.2.1-1.el7.x86_64                                                                                                                                          18/19
  Installing : podman-2.2.1-1.el7.x86_64                                                                                                                                                  19/19
  Verifying  : podman-2.2.1-1.el7.x86_64                                                                                                                                                   1/19
  Verifying  : libnftnl-1.1.5-4.amzn2.x86_64                                                                                                                                               2/19
  Verifying  : 2:containers-common-1.2.0-15.el7.x86_64                                                                                                                                     3/19
  Verifying  : dnsmasq-2.76-16.amzn2.0.1.x86_64                                                                                                                                            4/19
  Verifying  : slirp4netns-1.1.8-1.el7.x86_64                                                                                                                                              5/19
  Verifying  : libsemanage-python-2.5-11.amzn2.x86_64                                                                                                                                      6/19
  Verifying  : libselinux-python-2.5-12.amzn2.0.2.x86_64                                                                                                                                   7/19
  Verifying  : setools-libs-3.3.8-2.amzn2.0.2.x86_64                                                                                                                                       8/19
  Verifying  : 2:container-selinux-2.107-3.el7.noarch                                                                                                                                      9/19
  Verifying  : policycoreutils-python-2.5-22.amzn2.x86_64                                                                                                                                 10/19
  Verifying  : 2:conmon-2.0.21-1.el7.x86_64                                                                                                                                               11/19
  Verifying  : catatonit-0.1.5-1.el7.x86_64                                                                                                                                               12/19
  Verifying  : podman-plugins-2.2.1-1.el7.x86_64                                                                                                                                          13/19
  Verifying  : libslirp-4.3.1-2.el7.x86_64                                                                                                                                                14/19
  Verifying  : containernetworking-plugins-0.9.0-1.el7.x86_64                                                                                                                             15/19
  Verifying  : 1:nftables-0.9.0-14.amzn2.0.1.x86_64                                                                                                                                       16/19
  Verifying  : python-IPy-0.75-6.amzn2.0.1.noarch                                                                                                                                         17/19
  Verifying  : audit-libs-python-2.8.1-3.amzn2.1.x86_64                                                                                                                                   18/19
  Verifying  : checkpolicy-2.5-6.amzn2.x86_64                                                                                                                                             19/19

Installed:
  podman.x86_64 0:2.2.1-1.el7

Dependency Installed:
  audit-libs-python.x86_64 0:2.8.1-3.amzn2.1     catatonit.x86_64 0:0.1.5-1.el7                       checkpolicy.x86_64 0:2.5-6.amzn2                 conmon.x86_64 2:2.0.21-1.el7
  container-selinux.noarch 2:2.107-3.el7         containernetworking-plugins.x86_64 0:0.9.0-1.el7     containers-common.x86_64 2:1.2.0-15.el7          dnsmasq.x86_64 0:2.76-16.amzn2.0.1
  libnftnl.x86_64 0:1.1.5-4.amzn2                libselinux-python.x86_64 0:2.5-12.amzn2.0.2          libsemanage-python.x86_64 0:2.5-11.amzn2         libslirp.x86_64 0:4.3.1-2.el7
  nftables.x86_64 1:0.9.0-14.amzn2.0.1           podman-plugins.x86_64 0:2.2.1-1.el7                  policycoreutils-python.x86_64 0:2.5-22.amzn2     python-IPy.noarch 0:0.75-6.amzn2.0.1
  setools-libs.x86_64 0:3.3.8-2.amzn2.0.2        slirp4netns.x86_64 0:1.1.8-1.el7

Complete!
[root@ip-192-168-114-198 ~]#

2. help

[root@ip-192-168-114-198 ~]# podman --help
Manage pods, containers and images

Usage:
  podman [options] [command]

Available Commands:
  attach      Attach to a running container
  auto-update Auto update containers according to their auto-update policy
  build       Build an image using instructions from Containerfiles
  commit      Create new image based on the changed container
  container   Manage containers
  cp          Copy files/folders between a container and the local filesystem
  create      Create but do not start a container
  diff        Display the changes to the object's file system
  events      Show podman events
  exec        Run a process in a running container
  export      Export container's filesystem contents as a tar archive
  generate    Generate structured data based on containers and pods.
  healthcheck Manage health checks on containers
  help        Help about any command
  history     Show history of a specified image
  image       Manage images
  images      List images in local storage
  import      Import a tarball to create a filesystem image
  info        Display podman system information
  init        Initialize one or more containers
  inspect     Display the configuration of object denoted by ID
  kill        Kill one or more running containers with a specific signal
  load        Load image(s) from a tar archive
  login       Login to a container registry
  logout      Logout of a container registry
  logs        Fetch the logs of one or more containers
  manifest    Manipulate manifest lists and image indexes
  mount       Mount a working container's root filesystem
  network     Manage networks
  pause       Pause all the processes in one or more containers
  play        Play a pod and its containers from a structured file.
  pod         Manage pods
  port        List port mappings or a specific mapping for the container
  ps          List containers
  pull        Pull an image from a registry
  push        Push an image to a specified destination
  restart     Restart one or more containers
  rm          Remove one or more containers
  rmi         Removes one or more images from local storage
  run         Run a command in a new container
  save        Save image(s) to an archive
  search      Search registry for image
  start       Start one or more containers
  stats       Display a live stream of container resource usage statistics
  stop        Stop one or more containers
  system      Manage podman
  tag         Add an additional name to a local image
  top         Display the running processes of a container
  unmount     Unmounts working container's root filesystem
  unpause     Unpause the processes in one or more containers
  unshare     Run a command in a modified user namespace
  untag       Remove a name from a local image
  version     Display the Podman Version Information
  volume      Manage volumes
  wait        Block on one or more containers

Options:
      --cgroup-manager string      Cgroup manager to use ("cgroupfs"|"systemd") (default "systemd")
      --cni-config-dir string      Path of the configuration directory for CNI networks (default "/usr/libexec/cni")
      --conmon string              Path of the conmon binary
  -c, --connection string          Connection to use for remote Podman service
      --events-backend string      Events backend to use ("file"|"journald"|"none") (default "journald")
      --help                       Help for podman
      --hooks-dir strings          Set the OCI hooks directory path (may be set multiple times) (default [/usr/share/containers/oci/hooks.d])
      --identity string            path to SSH identity file, (CONTAINER_SSHKEY)
      --log-level string           Log messages above specified level (debug, info, warn, error, fatal, panic) (default "error")
      --namespace string           Set the libpod namespace, used to create separate views of the containers and pods on the system
      --network-cmd-path string    Path to the command for configuring the network
  -r, --remote                     Access remote Podman service (default false)
      --root string                Path to the root directory in which data, including images, is stored
      --runroot string             Path to the 'run directory' where all state information is stored
      --runtime string             Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc
      --runtime-flag stringArray   add global flags for the container runtime
      --storage-driver string      Select which storage driver is used to manage storage of images and containers (default is overlay)
      --storage-opt stringArray    Used to pass an option to the storage driver
      --syslog                     Output logging information to syslog as well as the console (default false)
      --tmpdir string              Path to the tmp directory for libpod state content.

                                   Note: use the environment variable 'TMPDIR' to change the temporary storage location for container images, '/var/tmp'.

      --url string                 URL to access Podman service (CONTAINER_HOST) (default "unix:/run/podman/podman.sock")
  -v, --version                    version for podman
[root@ip-192-168-114-198 ~]#

3. TroubleShooting

a. invalid argument metacopy

[root@ip-192-168-114-198 ~]# podman version
Error: failed to mount overlay for metacopy check with "nodev,metacopy=on" options: invalid argument
[root@ip-192-168-114-198 ~]# 

위와 같은 에러와 함께 podman command가 실행되지 않을 경우

[root@ip-192-168-114-198 ~]# vi /etc/containers/storage.conf
[root@ip-192-168-114-198 ~]#
#mountopt = "nodev,metacopy=on"
[root@ip-192-168-114-198 ~]# 

위 라인을 찾아 주석으로 막아 준다.

[root@ip-192-168-114-198 ~]# podman version
Version:      2.2.1
API Version:  2.1.0
Go Version:   go1.15.5
Built:        Wed Dec  9 18:33:46 2020
OS/Arch:      linux/amd64
[root@ip-192-168-114-198 ~]#

이후 위와 같이 다시 command를 실행해 보면 정상 동작하는 것을 확인할 수 있다.

b. error adding seccomp rule for syscall socket

[root@ip-192-168-114-198 ~]# podman run -itd --name fedora fedora /bin/bash
Error: OCI runtime error: container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
[root@ip-192-168-114-198 ~]#

위와 같은 에러와 함께 podman run이 실행되지 않을 경우

[root@ip-192-168-114-198 ~]# podman run -itd --security-opt=seccomp=unconfined --name fedora fedora /bin/bash
1a005abd9ae8f54fb3f1925d8f2d71c963d4780b0dc90deb59e673301ae888d9
[root@ip-192-168-114-198 ~]# podman ps -a
CONTAINER ID  IMAGE                                     COMMAND    CREATED        STATUS            PORTS   NAMES
1a005abd9ae8  registry.fedoraproject.org/fedora:latest  /bin/bash  7 seconds ago  Up 6 seconds ago          fedora
[root@ip-192-168-114-198 ~]#

yum update를 진행하여 버전을 맞춰주거나, --security-opt=seccomp=unconfined 옵션을 추가하여 우회할 수 있다. 가능하면 yum update를 권고한다.

4. podman cli

a. images registry 위치 (registries.conf.d/shortnames.conf)

[root@ip-192-168-114-198 ~]# vi /etc/containers/registries.conf.d/shortnames.conf
[aliases]
  # centos
  "centos" = "registry.centos.org/centos"
  # containers
  "skopeo" = "quay.io/skopeo/stable"
  "buildah" = "quay.io/buildah/stable"
  "podman" = "quay.io/podman/stable"
  # docker
  "alpine" = "docker.io/library/alpine"
  "docker" = "docker.io/library/docker"
  "registry" = "docker.io/library/registry"
  "hello-world" = "docker.io/library/hello-world"
  "swarm" = "docker.io/library/swarm"
  # Fedora
  "fedora-minimal" = "registry.fedoraproject.org/fedora-minimal"
  "fedora" = "registry.fedoraproject.org/fedora"
  # openSUSE
  "opensuse/tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
  "opensuse/leap" = "registry.opensuse.org/opensuse/leap"
  "opensuse/busybox" = "registry.opensuse.org/opensuse/busybox"
  "tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
  "leap" = "registry.opensuse.org/opensuse/leap"
  "tw-busybox" = "registry.opensuse.org/opensuse/busybox"
  # SUSE
  "suse/sle15" = "registry.suse.com/suse/sle15"
  "suse/sles12sp5" = "registry.suse.com/suse/sles12sp5"
  "suse/sles12sp4" = "registry.suse.com/suse/sles12sp4"
  "suse/sles12sp3" = "registry.suse.com/suse/sles12sp3"
  "sle15" = "registry.suse.com/suse/sle15"
  "sles12sp5" = "registry.suse.com/suse/sles12sp5"
  "sles12sp4" = "registry.suse.com/suse/sles12sp4"
  "sles12sp3" = "registry.suse.com/suse/sles12sp3"
  # Red Hat Enterprise Linux
  "rhel" = "registry.access.redhat.com/rhel"
  "rhel6" = "registry.access.redhat.com/rhel6"
  "rhel7" = "registry.access.redhat.com/rhel7"
  "ubi7" = "registry.access.redhat.com/ubi7"
  "ubi7-init" = "registry.access.redhat.com/ubi7-init"
  "ubi7-minimal" = "registry.access.redhat.com/ubi7-minimal"
  "ubi8" = "registry.access.redhat.com/ubi8"
  "ubi8-minimal" = "registry.access.redhat.com/ubi8-minimal"
  "ubi8-init" = "registry.access.redhat.com/ubi8-init"
  # Debian
  "debian" = "docker.io/library/debian"
[root@ip-192-168-114-198 ~]#

b. image pull

[root@ip-192-168-114-198 ~]# podman pull fedora
Resolved short name "fedora" to a recorded short-name alias (origin: /etc/containers/registries.conf.d/shortnames.conf)
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob 8fde7942e775 done
Copying config 79fd58dc76 done
Writing manifest to image destination
Storing signatures
79fd58dc76113dac76a120f22cadecc3b2d1794b414f90ea368cf66096700053
[root@ip-192-168-114-198 ~]#

c. image 확인

[root@ip-192-168-114-198 ~]# podman images
REPOSITORY                         TAG     IMAGE ID      CREATED       SIZE
registry.fedoraproject.org/fedora  latest  79fd58dc7611  2 months ago  181 MB
[root@ip-192-168-114-198 ~]# 

d. container process 확인

[root@ip-192-168-114-198 ~]# podman ps -a
CONTAINER ID  IMAGE                                     COMMAND    CREATED             STATUS                 PORTS   NAMES
1a005abd9ae8  registry.fedoraproject.org/fedora:latest  /bin/bash  About a minute ago  Up About a minute ago          fedora
[root@ip-192-168-114-198 ~]#

e. container run

[root@ip-192-168-114-198 ~]# podman run -itd --security-opt=seccomp=unconfined --name fedora fedora /bin/bash
1a005abd9ae8f54fb3f1925d8f2d71c963d4780b0dc90deb59e673301ae888d9
[root@ip-192-168-114-198 ~]# 

f. container stop

[root@ip-192-168-114-198 ~]# podman stop fedora
1a005abd9ae8f54fb3f1925d8f2d71c963d4780b0dc90deb59e673301ae888d9
[root@ip-192-168-114-198 ~]# 

g. container rm

[root@ip-192-168-114-198 ~]# podman rm fedora
1a005abd9ae8f54fb3f1925d8f2d71c963d4780b0dc90deb59e673301ae888d9
[root@ip-192-168-114-198 ~]# 

h. image rm

[root@ip-192-168-114-198 ~]# podman images
REPOSITORY                         TAG     IMAGE ID      CREATED       SIZE
registry.fedoraproject.org/fedora  latest  79fd58dc7611  2 months ago  181 MB
[root@ip-192-168-114-198 ~]# podman rmi 79fd58dc7611
Untagged: registry.fedoraproject.org/fedora:latest
Deleted: 79fd58dc76113dac76a120f22cadecc3b2d1794b414f90ea368cf66096700053
[root@ip-192-168-114-198 ~]#

i. podman build step

[root@ip-192-168-114-198 ~]# cat Dockerfile
FROM docker.io/ubuntu
ENTRYPOINT echo "Podman build this container."
[root@ip-192-168-114-198 ~]# podman build -t podmanbuilt .
STEP 1: FROM docker.io/ubuntu
Getting image source signatures
Copying blob 14428a6d4bcd done
Copying blob da7391352a9b [======================================] 27.2MiB / 27.2MiB
Copying blob 2c2d948710f2 done
Copying config f643c72bc2 done
Writing manifest to image destination
Storing signatures
STEP 2: ENTRYPOINT echo "Podman build this container."
STEP 3: COMMIT podmanbuilt
--> 0989a71c8de
0989a71c8dee1650bac3b95ffe836d4a9dcc17f2f0bb17c91f4d47f54827aec5
[root@ip-192-168-114-198 ~]# podman run --rm --security-opt=seccomp=unconfined podmanbuilt
Podman build this container.
[root@ip-192-168-114-198 ~]#

위와 같이 Dockerfile을 작성하고 podman build를 수행하여 Container Process를 기동할 수 있다.

5. docker 호환성

[root@ip-192-168-114-198 ~]# podman save localhost/podmanbuilt -o podmanbuild.tar
[root@ip-192-168-114-198 ~]# docker load -i podmanbuild.tar
bacd3af13903: Loading layer [==================================================>]  75.27MB/75.27MB
9069f84dbbe9: Loading layer [==================================================>]  15.36kB/15.36kB
f6253634dc78: Loading layer [==================================================>]  3.072kB/3.072kB
Loaded image: localhost/podmanbuilt:latest
[root@ip-192-168-114-198 ~]# docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
localhost/podmanbuilt                  latest              0989a71c8dee        2 hours ago         72.9MB
nara0617/hello-python                  latest              c6b350e97471        12 days ago         55.2MB
gcr.io/knative-samples/helloworld-go   latest              7de72db4aca7        2 years ago         781MB
[root@ip-192-168-114-198 ~]# docker run --rm localhost/podmanbuilt
Podman build this container.
[root@ip-192-168-114-198 ~]#

위와 같이 podman으로 생성한 이미지를 podman save > docker load > docker images > docker run 순으로 docker 이미지를 이관하여 기동이 정상적으로 되는 것을 확인할 수 있다.

위와 같이 podman은 docker에서 사용하던 cli 명령어를 그대로 사용할 수 있다. 특히 docker daemon 같은 runtime container가 없어도 자체적으로 이미지를 생성하고 기동할 수 있다는 장점이 있다.


Buildah : 컨테이너 빌드

buildah는 Docker Build 대신 Dockerfiles을 활용한 빌드 또는 다른 형식의 파일에서 컨테이너 이미지를 빌드하는 데 사용할 수 있다.

1. install

[root@ip-192-168-114-198 ~]# sudo yum -y install buildah
Loaded plugins: copr, extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                                                                                                                                               | 3.7 kB  00:00:00
1 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package buildah.x86_64 0:1.18.0-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================
 Package                                Arch                                  Version                                     Repository                                                       Size
================================================================================================================================================================================================
Installing:
 buildah                                x86_64                                1.18.0-2.el7                                devel_kubic_libcontainers_stable                                 13 M

Transaction Summary
================================================================================================================================================================================================
Install  1 Package

Total download size: 13 M
Installed size: 34 M
Downloading packages:
buildah-1.18.0-2.el7.x86_64.rpm                                                                                                                                          |  13 MB  00:00:07
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : buildah-1.18.0-2.el7.x86_64                                                                                                                                                  1/1
  Verifying  : buildah-1.18.0-2.el7.x86_64                                                                                                                                                  1/1

Installed:
  buildah.x86_64 0:1.18.0-2.el7

Complete!
[root@ip-192-168-114-198 ~]#

2. help

[root@ip-192-168-114-198 ~]# buildah --help
A tool that facilitates building OCI images

Usage:
  buildah [flags]
  buildah [command]

Available Commands:
  add         Add content to the container
  bud         Build an image using instructions in a Dockerfile
  commit      Create an image from a working container
  config      Update image configuration settings
  containers  List working containers and their base images
  copy        Copy content into the container
  from        Create a working container based on an image
  help        Help about any command
  images      List images in local storage
  info        Display Buildah system information
  inspect     Inspect the configuration of a container or image
  login       Login to a container registry
  logout      Logout of a container registry
  manifest    Manipulate manifest lists and image indexes
  mount       Mount a working container's root filesystem
  pull        Pull an image from the specified location
  push        Push an image to a specified destination
  rename      Rename a container
  rm          Remove one or more working containers
  rmi         Remove one or more images from local storage
  run         Run a command inside of the container
  tag         Add an additional name to a local image
  umount      Unmount the root file system of the specified working containers
  unshare     Run a command in a modified user namespace
  version     Display the Buildah version information

Flags:
  -h, --help                                 help for buildah
      --log-level string                     The log level to be used. Either "debug", "info", "warn" or "error". (default "warn")
      --registries-conf string               path to registries.conf file (not usually used)
      --registries-conf-dir string           path to registries.conf.d directory (not usually used)
      --root string                          storage root dir (default "/var/lib/containers/storage")
      --runroot string                       storage state dir (default "/var/run/containers/storage")
      --storage-driver string                storage-driver (default "overlay")
      --storage-opt strings                  storage driver option
      --userns-gid-map ctrID:hostID:length   default ctrID:hostID:length GID mapping to use
      --userns-uid-map ctrID:hostID:length   default ctrID:hostID:length UID mapping to use
  -v, --version                              version for buildah

Use "buildah [command] --help" for more information about a command.
[root@ip-192-168-114-198 ~]#

3. TroubleShooting

a. error adding seccomp rule for syscall socket: requested action matches default action of filter

[root@ip-192-168-114-198 ~]# buildah run fedora-working-container cat /etc/redhat-release
ERRO[0000] container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
error running container: error creating container for [/usr/bin/cat /etc/redhat-release]: : exit status 1
error while running runtime: exit status 1
[root@ip-192-168-114-198 ~]#

위와 같은 문제 발생시 yum update를 진행한 후 재 시도 한다.

[root@ip-192-168-114-198 ~]# buildah run fedora-working-container cat /etc/redhat-release
Fedora release 33 (Thirty Three)
[root@ip-192-168-114-198 ~]#

4. buildah cli

a. buildah from

[root@ip-192-168-114-198 ~]# buildah from docker://docker.io/fedora
Getting image source signatures
Copying blob ae7b613df528 done
Copying config b3048463dc done
Writing manifest to image destination
Storing signatures
fedora-working-container
[root@ip-192-168-114-198 ~]# 

b. buildah container

[root@ip-192-168-114-198 ~]# buildah containers
CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
6ffb3cf4bd18     *     b3048463dcef docker.io/library/fedora:latest  fedora-working-container
[root@ip-192-168-114-198 ~]#

c. buildah run

[root@ip-192-168-114-198 ~]# buildah run fedora-working-container cat /etc/redhat-release
Fedora release 33 (Thirty Three)
[root@ip-192-168-114-198 ~]#

d. buildah inspect

[root@ip-192-168-114-198 ~]# buildah inspect fedora-working-container
{
    "Type": "buildah 0.0.1",
    "FromImage": "docker.io/library/fedora:latest",
    "FromImageID": "b3048463dcefbe4920ef2ae1af43171c9695e2077f315b2bc12ed0f6f67c86c7",
    "FromImageDigest": "sha256:fdf235fa167d2aa5d820fba274ec1d2edeb0534bd32d28d602a19b31bad79b80",
    "Config": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"DISTTAG=f33container\",\"FGC=f33\",\"FBR=f33\"],\"Cmd\":[\"/bin/bash\"],\"Image\":\"sha256:3b1b0c55a47e10ea93d904fc20c39d253f9e1ad770922e8fb4af93dcec6691ce\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{\"maintainer\":\"Clement Verna \\u003ccverna@fedoraproject.org\\u003e\"}},\"container\":\"50cf73b69958473ab2f9a10d3249df073c99b7767ec7f1ff5ffd56da4f35397b\",\"container_config\":{\"Hostname\":\"50cf73b69958\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"DISTTAG=f33container\",\"FGC=f33\",\"FBR=f33\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) \",\"CMD [\\\"/bin/bash\\\"]\"],\"Image\":\"sha256:3b1b0c55a47e10ea93d904fc20c39d253f9e1ad770922e8fb4af93dcec6691ce\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{\"maintainer\":\"Clement Verna \\u003ccverna@fedoraproject.org\\u003e\"}},\"created\":\"2020-11-12T00:25:31.334712859Z\",\"docker_version\":\"19.03.12\",\"history\":[{\"created\":\"2019-01-16T21:21:55.569693599Z\",\"created_by\":\"/bin/sh -c #(nop)  LABEL maintainer=Clement Verna \\u003ccverna@fedoraproject.org\\u003e\",\"empty_layer\":true},{\"created\":\"2020-04-30T23:21:44.324893962Z\",\"created_by\":\"/bin/sh -c #(nop)  ENV DISTTAG=f33container FGC=f33 FBR=f33\",\"empty_layer\":true},{\"created\":\"2020-11-12T00:25:30.976066436Z\",\"created_by\":\"/bin/sh -c #(nop) ADD file:240dde03c4d9f0ad759f8d1291fb45ab2745b6a108c6164d746766239d3420ab in / \"},{\"created\":\"2020-11-12T00:25:31.334712859Z\",\"created_by\":\"/bin/sh -c #(nop)  CMD [\\\"/bin/bash\\\"]\",\"empty_layer\":true}],\"os\":\"linux\",\"rootfs\":{\"type\":\"layers\",\"diff_ids\":[\"sha256:ed0c36ccfcbe08498869bb435711b2657b593806792e29582fa90f43d87b2dfb\"]}}",
    "Manifest": "{\n   \"schemaVersion\": 2,\n   \"mediaType\": \"application/vnd.docker.distribution.manifest.v2+json\",\n   \"config\": {\n      \"mediaType\": \"application/vnd.docker.container.image.v1+json\",\n      \"size\": 1997,\n      \"digest\": \"sha256:b3048463dcefbe4920ef2ae1af43171c9695e2077f315b2bc12ed0f6f67c86c7\"\n   },\n   \"layers\": [\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 63374419,\n         \"digest\": \"sha256:ae7b613df528a37664448affa6e52ff405701cda015a2a67301423bc20226b61\"\n      }\n   ]\n}",
    "Container": "fedora-working-container",
    "ContainerID": "6ffb3cf4bd18652a1b4c9f75d550ef7a4c4385cc7617e3953d41793f3a57f13d",
    "MountPoint": "",
    "ProcessLabel": "",
    "MountLabel": "",
    "ImageAnnotations": null,
    "ImageCreatedBy": "",
    "OCIv1": {
        "created": "2020-11-12T00:25:31.334712859Z",
        "architecture": "amd64",
        "os": "linux",
        "config": {
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "DISTTAG=f33container",
                "FGC=f33",
                "FBR=f33"
            ],
            "Cmd": [
                "/bin/bash"
            ],
            "Labels": {
                "maintainer": "Clement Verna <cverna@fedoraproject.org>"
            }
        },
        "rootfs": {
            "type": "layers",
            "diff_ids": [
                "sha256:ed0c36ccfcbe08498869bb435711b2657b593806792e29582fa90f43d87b2dfb"
            ]
        },
        "history": [
            {
                "created": "2019-01-16T21:21:55.569693599Z",
                "created_by": "/bin/sh -c #(nop)  LABEL maintainer=Clement Verna <cverna@fedoraproject.org>",
                "empty_layer": true
            },
            {
                "created": "2020-04-30T23:21:44.324893962Z",
                "created_by": "/bin/sh -c #(nop)  ENV DISTTAG=f33container FGC=f33 FBR=f33",
                "empty_layer": true
            },
            {
                "created": "2020-11-12T00:25:30.976066436Z",
                "created_by": "/bin/sh -c #(nop) ADD file:240dde03c4d9f0ad759f8d1291fb45ab2745b6a108c6164d746766239d3420ab in / "
            },
            {
                "created": "2020-11-12T00:25:31.334712859Z",
                "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
                "empty_layer": true
            }
        ]
    },
    "Docker": {
        "created": "2020-11-12T00:25:31.334712859Z",
        "container": "50cf73b69958473ab2f9a10d3249df073c99b7767ec7f1ff5ffd56da4f35397b",
        "container_config": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "DISTTAG=f33container",
                "FGC=f33",
                "FBR=f33"
            ],
            "Cmd": [
                "/bin/bash"
            ],
            "Image": "sha256:3b1b0c55a47e10ea93d904fc20c39d253f9e1ad770922e8fb4af93dcec6691ce",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": [],
            "Labels": {
                "maintainer": "Clement Verna <cverna@fedoraproject.org>"
            }
        },
        "config": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "DISTTAG=f33container",
                "FGC=f33",
                "FBR=f33"
            ],
            "Cmd": [
                "/bin/bash"
            ],
            "Image": "sha256:3b1b0c55a47e10ea93d904fc20c39d253f9e1ad770922e8fb4af93dcec6691ce",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": [],
            "Labels": {
                "maintainer": "Clement Verna <cverna@fedoraproject.org>"
            }
        },
        "architecture": "amd64",
        "os": "linux",
        "rootfs": {
            "type": "layers",
            "diff_ids": [
                "sha256:ed0c36ccfcbe08498869bb435711b2657b593806792e29582fa90f43d87b2dfb"
            ]
        },
        "history": [
            {
                "created": "2019-01-16T21:21:55.569693599Z",
                "created_by": "/bin/sh -c #(nop)  LABEL maintainer=Clement Verna <cverna@fedoraproject.org>",
                "empty_layer": true
            },
            {
                "created": "2020-04-30T23:21:44.324893962Z",
                "created_by": "/bin/sh -c #(nop)  ENV DISTTAG=f33container FGC=f33 FBR=f33",
                "empty_layer": true
            },
            {
                "created": "2020-11-12T00:25:30.976066436Z",
                "created_by": "/bin/sh -c #(nop) ADD file:240dde03c4d9f0ad759f8d1291fb45ab2745b6a108c6164d746766239d3420ab in / "
            },
            {
                "created": "2020-11-12T00:25:31.334712859Z",
                "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
                "empty_layer": true
            }
        ]
    },
    "DefaultMountsFilePath": "",
    "Isolation": "IsolationOCI",
    "NamespaceOptions": [
        {
            "Name": "cgroup",
            "Host": true,
            "Path": ""
        },
        {
            "Name": "ipc",
            "Host": false,
            "Path": ""
        },
        {
            "Name": "mount",
            "Host": false,
            "Path": ""
        },
        {
            "Name": "network",
            "Host": true,
            "Path": ""
        },
        {
            "Name": "pid",
            "Host": false,
            "Path": ""
        },
        {
            "Name": "user",
            "Host": true,
            "Path": ""
        },
        {
            "Name": "uts",
            "Host": false,
            "Path": ""
        }
    ],
    "Capabilities": [
        "CAP_CHOWN",
        "CAP_DAC_OVERRIDE",
        "CAP_FOWNER",
        "CAP_FSETID",
        "CAP_KILL",
        "CAP_NET_BIND_SERVICE",
        "CAP_SETFCAP",
        "CAP_SETGID",
        "CAP_SETPCAP",
        "CAP_SETUID",
        "CAP_SYS_CHROOT"
    ],
    "ConfigureNetwork": "NetworkDefault",
    "CNIPluginPath": "/usr/libexec/cni:/opt/cni/bin",
    "CNIConfigDir": "/etc/cni/net.d",
    "IDMappingOptions": {
        "HostUIDMapping": true,
        "HostGIDMapping": true,
        "UIDMap": [],
        "GIDMap": []
    },
    "History": [
        {
            "created": "2019-01-16T21:21:55.569693599Z",
            "created_by": "/bin/sh -c #(nop)  LABEL maintainer=Clement Verna <cverna@fedoraproject.org>",
            "empty_layer": true
        },
        {
            "created": "2020-04-30T23:21:44.324893962Z",
            "created_by": "/bin/sh -c #(nop)  ENV DISTTAG=f33container FGC=f33 FBR=f33",
            "empty_layer": true
        },
        {
            "created": "2020-11-12T00:25:30.976066436Z",
            "created_by": "/bin/sh -c #(nop) ADD file:240dde03c4d9f0ad759f8d1291fb45ab2745b6a108c6164d746766239d3420ab in / "
        },
        {
            "created": "2020-11-12T00:25:31.334712859Z",
            "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
            "empty_layer": true
        }
    ],
    "Devices": []
}

5. docker & podman 호환성

[root@ip-192-168-114-198 ~]# buildah commit fedora-working-container fedora-working-container
Getting image source signatures
Copying blob ed0c36ccfcbe skipped: already exists
Copying blob f944408e588c done
Copying config 245f01352d done
Writing manifest to image destination
Storing signatures
245f01352d01fe13ef5b13525964bfbb3934e1ca8abafc15a1ab9fc6e1544618
[root@ip-192-168-114-198 ~]# buildah images
REPOSITORY                           TAG      IMAGE ID       CREATED         SIZE
localhost/fedora-working-container   latest   245f01352d01   6 seconds ago   181 MB
localhost/podmanbuilt                latest   0989a71c8dee   2 hours ago     75.3 MB
docker.io/library/ubuntu             latest   f643c72bc252   4 weeks ago     75.3 MB
docker.io/library/fedora             latest   b3048463dcef   6 weeks ago     181 MB
[root@ip-192-168-114-198 ~]# podman run localhost/fedora-working-container:latest cat /etc/redhat-release
Fedora release 33 (Thirty Three)
[root@ip-192-168-114-198 ~]# podman save localhost/fedora-working-container -o fedora-working-container.tar
[root@ip-192-168-114-198 ~]# docker load -i fedora-working-container.tar
ed0c36ccfcbe: Loading layer [==================================================>]  181.1MB/181.1MB
f944408e588c: Loading layer [==================================================>]   2.56kB/2.56kB
Loaded image: localhost/fedora-working-container:latest
[root@ip-192-168-114-198 ~]# docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
localhost/fedora-working-container     latest              245f01352d01        2 minutes ago       175MB
localhost/podmanbuilt                  latest              0989a71c8dee        2 hours ago         72.9MB
nara0617/hello-python                  latest              c6b350e97471        12 days ago         55.2MB
gcr.io/knative-samples/helloworld-go   latest              7de72db4aca7        2 years ago         781MB
[root@ip-192-168-114-198 ~]# docker run localhost/fedora-working-container:latest cat /etc/redhat-release
Fedora release 33 (Thirty Three)
[root@ip-192-168-114-198 ~]#

buildah로 생성한 container는 buildah commit으로 이미지를 생성할 수 있다. 생성된 이미지는 podman run으로 기동할 수 있으며, docker 이관 방법은 위 podman 파트에서 살펴보았다.

buildah & podman & docker 모두에서 동일한 /etc/redhat-release 값을 확인할 수 있다.

Buildah와 Podman을 활용하여 이미지를 생성하고 push하는 과정을 CLI로 처리한다면 다음과 같은 형태가 될 수 있을 것이다.

[root@ip-192-168-114-198 ~]# podman login -u $ID -p $PW docker.io
Login Succeeded!
[root@ip-192-168-114-198 ~]# cat Dockerfile
FROM docker.io/ubuntu
ENTRYPOINT echo "Podman build this container."
[root@ip-192-168-114-198 ~]# buildah bud -t nara0617/ubuntuecho:latest .
STEP 1: FROM docker.io/ubuntu
STEP 2: ENTRYPOINT echo "Podman build this container."
STEP 3: COMMIT nara0617/ubuntuecho:latest
Getting image source signatures
Copying blob bacd3af13903 skipped: already exists
Copying blob 9069f84dbbe9 skipped: already exists
Copying blob f6253634dc78 skipped: already exists
Copying blob 5f70bf18a086 done
Copying config a65de8136d done
Writing manifest to image destination
Storing signatures
--> a65de8136db
a65de8136db3de0892196a5cfbe2d4afe6fd26daf95c78eca1a9a3f31d0c340e
[root@ip-192-168-114-198 ~]# buildah push nara0617/ubuntuecho:latest docker://nara0617/ubuntuecho:latest
Getting image source signatures
Copying blob 5f70bf18a086 done
Copying blob bacd3af13903 skipped: already exists
Copying blob 9069f84dbbe9 skipped: already exists
Copying blob f6253634dc78 skipped: already exists
Copying config a65de8136d done
Writing manifest to image destination
Storing signatures
[root@ip-192-168-114-198 ~]# podman logout docker.io
Removed login credentials for docker.io
[root@ip-192-168-114-198 ~]#

위 내용을 CI/CD Pipeline의 Stage로 관리한다면 아래와 같이 작성해 볼 수 있을 것이다.

stage('Images Build') {
	steps {
		script {
			sh "podman version ; buildah version"
			sh "podman login -u $DOCKERHUB_ID -p $DOCKERHUB_PW docker.io "
			sh "buildah bud -t nara0617/ubuntuecho:latest ."
			sh "buildah push nara0617/ubuntuecho:latest docker://nara0617/ubuntuecho:latest"
			sh "podman logout docker.io"
		}
	}
}

위와 같이 buildah는 이미지 빌드를 지원하며, podman과 호환되어 동일한 리포지토리 공간을 사용한다. buildah를 통해 이미지를 빌드하고, 생성하여, podman으로 이미지를 관리하고 기동하는 형태로 활용할 수 있다.


Skopeo : 컨테이너 관리

Skopeo는 컨테이너 이미지 레지스트리에서 이미지를 검사하고, 이미지와 이미지 레이어를 가져오고, 서명을 사용하여 이미지를 만들고 확인할 수 있다.

일반적으로 클라우드 환경 또는 전통적인 Legacy 환경 모두 개발/테스트/운영 환경을 물리적으로 구분하여 관리한다. 모든 환경은 CI/CD 프로세스를 구축하여 소스커밋부터 운영환경 배포까지 모든 애플리케이션 수명주기를 관리해야한다.
이때 CI/CD 프로세스는 각 환경별로 목표(예를 들어 개발환경은 소스 빌드 성공, 테스트 커버리지 달성, 테스트 환경은 도커 이미지 기동 테스트, 테스트 환경 릴리즈, 운영 환경은 운영 배포 및 롤링 업데이트 등)를 달성하면, 각 환경에서 다음 환경으로 배포 주체를 이관하게 된다.
클라우드 환경 특히 컨테이너 환경을 사용할 경우에는 그 대상이 컨테이너 이미지가 될 수 있다. (Legacy 환경은 war 파일 또는 소스 코드 자체가 될 수 있다.) 컨테이너 이미지는 Layer로 구성되며 패키징되어 이미지 레지스트리에 저장된다. 이때 이미지 레지스트리는 Public 공간의 DockerHub, ECR, ACR 등이 될 수도 있고, Private 공간의 Nexus, Harbor 등이 될수도 있다. 특히 멀티 클라우드/하이브리드 클라우드 환경을 사용할 경우에는 두개 이상의 서로 다른 클라우드 환경 간에 이미지를 공유하고 전송해야 하는 경우도 발생할 수 있다.
이 모든 경우를 포함하여 OCI(Open Container Initiative) 규칙을 준수하여 이미지를 생성, 저장 또는 실행하는 경우 Buildah를 사용하여 이미지를 빌드하든, CRI-O를 사용하여 Kubernetes 클러스터에서 실행하든, Docker로 실행하든 OCI 표준 컨테이너 이미지는 이러한 모든 도구간에 공유 할 수 있음을 강제하게 된다.

1. install

[root@ip-192-168-114-198 ~]# sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/devel:kubic:libcontainers:stable.repo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   359  100   359    0     0    234      0  0:00:01  0:00:01 --:--:--   234
[root@ip-192-168-114-198 ~]# sudo yum -y install skopeo
Loaded plugins: copr, extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                                                                                                                                               | 3.7 kB  00:00:00
devel_kubic_libcontainers_stable                                                                                                                                         | 1.3 kB  00:00:00
1 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package skopeo.x86_64 2:1.2.0-15.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================
 Package                              Arch                                 Version                                         Repository                                                      Size
================================================================================================================================================================================================
Installing:
 skopeo                               x86_64                               2:1.2.0-15.el7                                  devel_kubic_libcontainers_stable                                11 M

Transaction Summary
================================================================================================================================================================================================
Install  1 Package

Total download size: 11 M
Installed size: 29 M
Downloading packages:
skopeo-1.2.0-15.el7.x86_64.rpm                                                                                                                                           |  11 MB  00:00:06
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 2:skopeo-1.2.0-15.el7.x86_64                                                                                                                                                 1/1
  Verifying  : 2:skopeo-1.2.0-15.el7.x86_64                                                                                                                                                 1/1

Installed:
  skopeo.x86_64 2:1.2.0-15.el7

Complete!
[root@ip-192-168-114-198 ~]#

2. help

[root@ip-192-168-114-198 ~]# skopeo --help
Various operations with container images and container image registries

Usage:
  skopeo [command]

Available Commands:
  copy                                          Copy an IMAGE-NAME from one location to another
  delete                                        Delete image IMAGE-NAME
  help                                          Help about any command
  inspect                                       Inspect image IMAGE-NAME
  list-tags                                     List tags in the transport/repository specified by the REPOSITORY-NAME
  login                                         Login to a container registry
  logout                                        Logout of a container registry
  manifest-digest                               Compute a manifest digest of a file
  standalone-sign                               Create a signature using local files
  standalone-verify                             Verify a signature using local files
  sync                                          Synchronize one or more images from one location to another

Flags:
      --command-timeout duration   timeout for the command execution
      --debug                      enable debug output
  -h, --help                       help for skopeo
      --insecure-policy            run the tool without any policy check
      --override-arch ARCH         use ARCH instead of the architecture of the machine for choosing images
      --override-os OS             use OS instead of the running OS for choosing images
      --override-variant VARIANT   use VARIANT instead of the running architecture variant for choosing images
      --policy string              Path to a trust policy file
      --registries.d DIR           use registry configuration files in DIR (e.g. for container signature storage)
      --tmpdir string              directory used to store temporary files
  -v, --version                    Version for Skopeo

Use "skopeo [command] --help" for more information about a command.
[root@ip-192-168-114-198 ~]#

3. skopeo cli

a. skopeo inspect

[root@ip-192-168-114-198 ~]# skopeo inspect docker://docker.io/library/mariadb
{
    "Name": "docker.io/library/mariadb",
    "Digest": "sha256:cdc553f0515a8d41264f0855120874e86761f7c69407b5cfbe49283dc195bea8",
    "RepoTags": [
        "10-bionic",
        "10-focal",
        "10-jessie",
        "10.0-jessie",
        "10.0-xenial",
        "10.0.15",
        "10.0.16",
        "10.0.17",
        "10.0.19",
        "10.0.20",
        "10.0.21",
        "10.0.22",
        "10.0.23",
        "10.0.24",
        "10.0.25",
        "10.0.26",
        "10.0.27",
        "10.0.28",
        "10.0.29",
        "10.0.30",
        "10.0.31",
        "10.0.32",
        "10.0.33",
        "10.0.34",
        "10.0.35-jessie",
        "10.0.35-xenial",
        "10.0.35",
        "10.0.36-xenial",
        "10.0.36",
        "10.0.37-xenial",
        "10.0.37",
        "10.0.38-xenial",
        "10.0.38",
        "10.0",
        "10.1-bionic",
        "10.1-jessie",
        "10.1.1",
        "10.1.10",
        "10.1.11",
        "10.1.12",
        "10.1.13",
        "10.1.14",
        "10.1.15",
        "10.1.16",
        "10.1.17",
        "10.1.18",
        "10.1.19",
        "10.1.2",
        "10.1.20",
        "10.1.21",
        "10.1.22",
        "10.1.23",
        "10.1.24",
        "10.1.25",
        "10.1.26",
        "10.1.28",
        "10.1.29",
        "10.1.3",
        "10.1.30",
        "10.1.31",
        "10.1.32",
        "10.1.33",
        "10.1.34-bionic",
        "10.1.34-jessie",
        "10.1.34",
        "10.1.35-bionic",
        "10.1.35",
        "10.1.36-bionic",
        "10.1.36",
        "10.1.37-bionic",
        "10.1.37",
        "10.1.38-bionic",
        "10.1.38",
        "10.1.39-bionic",
        "10.1.39",
        "10.1.40-bionic",
        "10.1.40",
        "10.1.41-bionic",
        "10.1.41",
        "10.1.43-bionic",
        "10.1.43",
        "10.1.44-bionic",
        "10.1.44",
        "10.1.45-bionic",
        "10.1.45",
        "10.1.46-bionic",
        "10.1.46",
        "10.1.47-bionic",
        "10.1.47",
        "10.1.48-bionic",
        "10.1.48",
        "10.1",
        "10.2-bionic",
        "10.2-jessie",
        "10.2.10",
        "10.2.11",
        "10.2.12",
        "10.2.13",
        "10.2.14",
        "10.2.15",
        "10.2.16-bionic",
        "10.2.16-jessie",
        "10.2.16",
        "10.2.17-bionic",
        "10.2.17",
        "10.2.18-bionic",
        "10.2.18",
        "10.2.19-bionic",
        "10.2.19",
        "10.2.20-bionic",
        "10.2.20",
        "10.2.21-bionic",
        "10.2.21",
        "10.2.22-bionic",
        "10.2.22",
        "10.2.23-bionic",
        "10.2.23",
        "10.2.24-bionic",
        "10.2.24",
        "10.2.25-bionic",
        "10.2.25",
        "10.2.26-bionic",
        "10.2.26",
        "10.2.27-bionic",
        "10.2.27",
        "10.2.29-bionic",
        "10.2.29",
        "10.2.30-bionic",
        "10.2.30",
        "10.2.31-bionic",
        "10.2.31",
        "10.2.32-bionic",
        "10.2.32",
        "10.2.33-bionic",
        "10.2.33",
        "10.2.34-bionic",
        "10.2.34",
        "10.2.35-bionic",
        "10.2.35",
        "10.2.36-bionic",
        "10.2.36",
        "10.2.5",
        "10.2.6",
        "10.2.7",
        "10.2.8",
        "10.2.9",
        "10.2",
        "10.3-bionic",
        "10.3-focal",
        "10.3-jessie",
        "10.3.0",
        "10.3.1",
        "10.3.10-bionic",
        "10.3.10",
        "10.3.11-bionic",
        "10.3.11",
        "10.3.12-bionic",
        "10.3.12",
        "10.3.13-bionic",
        "10.3.13",
        "10.3.14-bionic",
        "10.3.14",
        "10.3.15-bionic",
        "10.3.15",
        "10.3.16-bionic",
        "10.3.16",
        "10.3.17-bionic",
        "10.3.17",
        "10.3.18-bionic",
        "10.3.18",
        "10.3.2",
        "10.3.20-bionic",
        "10.3.20",
        "10.3.21-bionic",
        "10.3.21",
        "10.3.22-bionic",
        "10.3.22",
        "10.3.23-bionic",
        "10.3.23-focal",
        "10.3.23",
        "10.3.24-focal",
        "10.3.24",
        "10.3.25-focal",
        "10.3.25",
        "10.3.26-focal",
        "10.3.26",
        "10.3.27-focal",
        "10.3.27",
        "10.3.3",
        "10.3.4",
        "10.3.5",
        "10.3.6",
        "10.3.7",
        "10.3.8-bionic",
        "10.3.8-jessie",
        "10.3.8",
        "10.3.9-bionic",
        "10.3.9",
        "10.3",
        "10.4-bionic",
        "10.4-focal",
        "10.4.0-bionic",
        "10.4.0",
        "10.4.1-bionic",
        "10.4.1",
        "10.4.10-bionic",
        "10.4.10",
        "10.4.11-bionic",
        "10.4.11",
        "10.4.12-bionic",
        "10.4.12",
        "10.4.13-bionic",
        "10.4.13-focal",
        "10.4.13",
        "10.4.14-focal",
        "10.4.14",
        "10.4.15-focal",
        "10.4.15",
        "10.4.16-focal",
        "10.4.16",
        "10.4.17-focal",
        "10.4.17",
        "10.4.2-bionic",
        "10.4.2",
        "10.4.3-bionic",
        "10.4.3",
        "10.4.4-bionic",
        "10.4.4",
        "10.4.5-bionic",
        "10.4.5",
        "10.4.6-bionic",
        "10.4.6",
        "10.4.7-bionic",
        "10.4.7",
        "10.4.8-bionic",
        "10.4.8",
        "10.4",
        "10.5-bionic",
        "10.5-focal",
        "10.5.1-bionic",
        "10.5.1",
        "10.5.2-bionic",
        "10.5.2",
        "10.5.3-bionic",
        "10.5.3-focal",
        "10.5.3",
        "10.5.4-focal",
        "10.5.4",
        "10.5.5-focal",
        "10.5.5",
        "10.5.6-focal",
        "10.5.6",
        "10.5.7-focal",
        "10.5.7",
        "10.5.8-focal",
        "10.5.8",
        "10.5",
        "10",
        "5-trusty",
        "5-wheezy",
        "5.5-trusty",
        "5.5-wheezy",
        "5.5.40",
        "5.5.41",
        "5.5.42",
        "5.5.43",
        "5.5.44",
        "5.5.45",
        "5.5.46",
        "5.5.47",
        "5.5.48",
        "5.5.49",
        "5.5.50",
        "5.5.51",
        "5.5.52",
        "5.5.53",
        "5.5.54",
        "5.5.55",
        "5.5.56",
        "5.5.57",
        "5.5.58",
        "5.5.59",
        "5.5.60-trusty",
        "5.5.60-wheezy",
        "5.5.60",
        "5.5.61-trusty",
        "5.5.61",
        "5.5.62-trusty",
        "5.5.62",
        "5.5.63-trusty",
        "5.5.63",
        "5.5.64-trusty",
        "5.5.64",
        "5.5",
        "5",
        "beta-bionic",
        "beta",
        "bionic",
        "focal",
        "jessie",
        "latest",
        "rc-bionic",
        "rc-focal",
        "rc"
    ],
    "Created": "2020-11-25T23:18:42.200902166Z",
    "DockerVersion": "19.03.12",
    "Labels": null,
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
        "sha256:da7391352a9bb76b292a568c066aa4c3cbae8d494e6a3c68e3c596d34f7c75f8",
        "sha256:14428a6d4bcdba49a64127900a0691fb00a3f329aced25eb77e3b65646638f8d",
        "sha256:2c2d948710f21ad82dce71743b1654b45acb5c059cf5c19da491582cef6f2601",
        "sha256:22776aa82430af24b71cc0294b9c2bddd7c9f4a0213d13967e3bccc4f1296948",
        "sha256:90e64230d63d996dc81a927a75ec71730d7bb1ece4e43d64d6f2b830dab4bc82",
        "sha256:f30861f14a103eb6617d70c0b3ddb21d08ac133ed9d4e073f16e6b17a089d539",
        "sha256:e8e9e6a3da2446ca697e0ccb0d7c44012e8573d4eb708b36f11a876657970d7b",
        "sha256:420a23f08c4147516e0f33d70c17c7f4d7a1e1ae4db8deb2a6a703f2c565483a",
        "sha256:bd73f23de4821d5ddc74bdc29ed54ccafac21587e18baf11431413d7906c4371",
        "sha256:a8690a3260b734a0e2fe29912f283112edfc4aa22a31bf7282282726e993a8cc",
        "sha256:4202ba90333a4d33b3cdeeefcac43e219ea015f484b4b92e14f865621128e237",
        "sha256:a33f860b4aa6bf9c5c6f3949001e39c976ac2eddf08295ab842bdc34114ac910"
    ],
    "Env": [
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
        "GOSU_VERSION=1.12",
        "GPG_KEYS=177F4010FE56CA3336300305F1656F24C74CD1D8",
        "MARIADB_MAJOR=10.5",
        "MARIADB_VERSION=1:10.5.8+maria~focal"
    ]
}
[root@ip-192-168-114-198 ~]#

b. skopeo copy

[root@ip-192-168-114-198 ~]# skopeo copy docker://docker.io/library/mariadb dir:/root/mariadb
Getting image source signatures
Copying blob da7391352a9b done
Copying blob 14428a6d4bcd done
Copying blob 2c2d948710f2 done
Copying blob 22776aa82430 done
Copying blob 90e64230d63d done
Copying blob f30861f14a10 done
Copying blob e8e9e6a3da24 done
Copying blob 420a23f08c41 done
Copying blob bd73f23de482 done
Copying blob a8690a3260b7 done
Copying blob 4202ba90333a done
Copying blob a33f860b4aa6 done
Copying config 3a348a04a8 done
Writing manifest to image destination
Storing signatures
[root@ip-192-168-114-198 ~]# ls -la mariadb/
total 122700
drwxr-xr-x  2 root root     4096 Dec 29 05:48 .
dr-xr-x--- 15 root root     4096 Dec 29 05:48 ..
-rw-r--r--  1 root root      847 Dec 29 05:48 14428a6d4bcdba49a64127900a0691fb00a3f329aced25eb77e3b65646638f8d
-rw-r--r--  1 root root     1752 Dec 29 05:48 22776aa82430af24b71cc0294b9c2bddd7c9f4a0213d13967e3bccc4f1296948
-rw-r--r--  1 root root      162 Dec 29 05:48 2c2d948710f21ad82dce71743b1654b45acb5c059cf5c19da491582cef6f2601
-rw-r--r--  1 root root     9043 Dec 29 05:48 3a348a04a8159339ed3ca053ea925f854252e6a6c3df6fa82c17625d1026f18b
-rw-r--r--  1 root root 88930464 Dec 29 05:48 4202ba90333a4d33b3cdeeefcac43e219ea015f484b4b92e14f865621128e237
-rw-r--r--  1 root root  1267437 Dec 29 05:48 420a23f08c4147516e0f33d70c17c7f4d7a1e1ae4db8deb2a6a703f2c565483a
-rw-r--r--  1 root root  5488627 Dec 29 05:48 90e64230d63d996dc81a927a75ec71730d7bb1ece4e43d64d6f2b830dab4bc82
-rw-r--r--  1 root root     4919 Dec 29 05:48 a33f860b4aa6bf9c5c6f3949001e39c976ac2eddf08295ab842bdc34114ac910
-rw-r--r--  1 root root      329 Dec 29 05:48 a8690a3260b734a0e2fe29912f283112edfc4aa22a31bf7282282726e993a8cc
-rw-r--r--  1 root root     2489 Dec 29 05:48 bd73f23de4821d5ddc74bdc29ed54ccafac21587e18baf11431413d7906c4371
-rw-r--r--  1 root root 28563271 Dec 29 05:48 da7391352a9bb76b292a568c066aa4c3cbae8d494e6a3c68e3c596d34f7c75f8
-rw-r--r--  1 root root      115 Dec 29 05:48 e8e9e6a3da2446ca697e0ccb0d7c44012e8573d4eb708b36f11a876657970d7b
-rw-r--r--  1 root root  1324655 Dec 29 05:48 f30861f14a103eb6617d70c0b3ddb21d08ac133ed9d4e073f16e6b17a089d539
-rw-r--r--  1 root root     2826 Dec 29 05:48 manifest.json
-rw-r--r--  1 root root       33 Dec 29 05:48 version
[root@ip-192-168-114-198 ~]#

c. skopeo layers

[root@ip-192-168-114-198 ~]# skopeo layers docker://docker.io/library/mariadb
DEPRECATED: skopeo layers is deprecated in favor of skopeo copy
[root@ip-192-168-114-198 ~]# ls -la layers-069532309/
total 122700
drwx------  2 root root     4096 Dec 29 05:51 .
dr-xr-x--- 16 root root     4096 Dec 29 05:50 ..
-rw-r--r--  1 root root      847 Dec 29 05:50 14428a6d4bcdba49a64127900a0691fb00a3f329aced25eb77e3b65646638f8d
-rw-r--r--  1 root root     1752 Dec 29 05:51 22776aa82430af24b71cc0294b9c2bddd7c9f4a0213d13967e3bccc4f1296948
-rw-r--r--  1 root root      162 Dec 29 05:50 2c2d948710f21ad82dce71743b1654b45acb5c059cf5c19da491582cef6f2601
-rw-r--r--  1 root root     9043 Dec 29 05:51 3a348a04a8159339ed3ca053ea925f854252e6a6c3df6fa82c17625d1026f18b
-rw-r--r--  1 root root 88930464 Dec 29 05:51 4202ba90333a4d33b3cdeeefcac43e219ea015f484b4b92e14f865621128e237
-rw-r--r--  1 root root  1267437 Dec 29 05:51 420a23f08c4147516e0f33d70c17c7f4d7a1e1ae4db8deb2a6a703f2c565483a
-rw-r--r--  1 root root  5488627 Dec 29 05:51 90e64230d63d996dc81a927a75ec71730d7bb1ece4e43d64d6f2b830dab4bc82
-rw-r--r--  1 root root     4919 Dec 29 05:51 a33f860b4aa6bf9c5c6f3949001e39c976ac2eddf08295ab842bdc34114ac910
-rw-r--r--  1 root root      329 Dec 29 05:51 a8690a3260b734a0e2fe29912f283112edfc4aa22a31bf7282282726e993a8cc
-rw-r--r--  1 root root     2489 Dec 29 05:51 bd73f23de4821d5ddc74bdc29ed54ccafac21587e18baf11431413d7906c4371
-rw-r--r--  1 root root 28563271 Dec 29 05:50 da7391352a9bb76b292a568c066aa4c3cbae8d494e6a3c68e3c596d34f7c75f8
-rw-r--r--  1 root root      115 Dec 29 05:51 e8e9e6a3da2446ca697e0ccb0d7c44012e8573d4eb708b36f11a876657970d7b
-rw-r--r--  1 root root  1324655 Dec 29 05:51 f30861f14a103eb6617d70c0b3ddb21d08ac133ed9d4e073f16e6b17a089d539
-rw-r--r--  1 root root      765 Dec 29 05:51 manifest.json
-rw-r--r--  1 root root       33 Dec 29 05:50 version
[root@ip-192-168-114-198 ~]#

4. 활용

이미지를 검사하고 전송할 때 SKOPEO를 적용하여 유용하게 활용할 수 있다. SKOPEO는 OCI 이미지를 저장할 수있는 모든 위치에서 컨테이너 이미지를 검사한다. 컨테이너 이미지를 한 위치에서 다른 위치로 복사 할 수도 있다.

핵심이 되는 skopeo copy는 다음과 같이 활용할 수 있다.

[root@ip-192-168-114-198 ~]# skopeo copy --help
Container "IMAGE-NAME" uses a "transport":"details" format.

Supported transports:
containers-storage, dir, docker, docker-archive, docker-daemon, oci, oci-archive, ostree, tarball

See skopeo(1) section "IMAGE NAMES" for the expected format

Usage:
skopeo copy [command options] SOURCE-IMAGE DESTINATION-IMAGE

Examples:
skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest

Flags:
      --additional-tag strings                additional tags (supports docker-archive)
  -a, --all                                   Copy all images if SOURCE-IMAGE is a list
      --authfile string                       path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json
      --decryption-key strings                *Experimental* key needed to decrypt the image
      --dest-authfile string                  path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json
      --dest-cert-dir PATH                    use certificates at PATH (*.crt, *.cert, *.key) to connect to the registry or daemon
      --dest-compress                         Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)
      --dest-compress-format FORMAT           FORMAT to use for the compression
      --dest-compress-level LEVEL             LEVEL to use for the compression
      --dest-creds USERNAME[:PASSWORD]        Use USERNAME[:PASSWORD] for accessing the registry
      --dest-daemon-host HOST                 use docker daemon host at HOST (docker-daemon: only)
      --dest-no-creds                         Access the registry anonymously
      --dest-oci-accept-uncompressed-layers   Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed)
      --dest-registry-token string            Provide a Bearer token for accessing the registry
      --dest-shared-blob-dir DIRECTORY        DIRECTORY to use to share blobs across OCI repositories
      --dest-tls-verify                       require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true) (default )
      --encrypt-layer ints                    *Experimental* the 0-indexed layer indices, with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer)
      --encryption-key strings                *Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)
  -f, --format string                         MANIFEST TYPE (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source)
  -h, --help                                  help for copy
  -q, --quiet                                 Suppress output information when copying images
      --remove-signatures                     Do not copy signatures from SOURCE-IMAGE
      --retry-times int                       the number of times to possibly retry
      --sign-by FINGERPRINT                   Sign the image using a GPG key with the specified FINGERPRINT
      --src-authfile string                   path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json
      --src-cert-dir PATH                     use certificates at PATH (*.crt, *.cert, *.key) to connect to the registry or daemon
      --src-creds USERNAME[:PASSWORD]         Use USERNAME[:PASSWORD] for accessing the registry
      --src-daemon-host HOST                  use docker daemon host at HOST (docker-daemon: only)
      --src-no-creds                          Access the registry anonymously
      --src-registry-token string             Provide a Bearer token for accessing the registry
      --src-shared-blob-dir DIRECTORY         DIRECTORY to use to share blobs across OCI repositories
      --src-tls-verify                        require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true) (default )

[root@ip-192-168-114-198 ~]#

로컬 도커 repository에서 DockerHub로 이미지를 복사하려는 경우 다음과 같이 간단하게 처리할 수 있다.

[root@ip-192-168-114-198 ~]# skopeo login docker.io
Username: nara0617
Password:
Login Succeeded!
[root@ip-192-168-114-198 ~]# skopeo copy docker-daemon:localhost/podmanbuilt:latest docker://nara0617/myimage:1.0.0
Getting image source signatures
Copying blob 9069f84dbbe9 done
Copying blob bacd3af13903 done
Copying blob f6253634dc78 done
Copying config 0989a71c8d done
Writing manifest to image destination
Storing signatures
[root@ip-192-168-114-198 ~]#

위와 같이 처리할 경우 docker tag, docker push가 한번에 처리되는 것을 알 수 있다.

[root@ip-192-168-114-198 ~]# docker rmi localhost/podmanbuilt
Untagged: localhost/podmanbuilt:latest
Deleted: sha256:0989a71c8dee1650bac3b95ffe836d4a9dcc17f2f0bb17c91f4d47f54827aec5
Deleted: sha256:9386795d450ce06c6819c8bc5eff8daa71d47ccb9f9fb8d49fe1ccfb5fb3edbe
Deleted: sha256:3779241fda7b1caf03964626c3503e930f2f19a5ffaba6f4b4ad21fd38df3b6b
Deleted: sha256:bacd3af13903e13a43fe87b6944acd1ff21024132aad6e74b4452d984fb1a99a
[root@ip-192-168-114-198 ~]# docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
localhost/fedora-working-container     latest              245f01352d01        18 hours ago        175MB
nara0617/hello-python                  latest              c6b350e97471        13 days ago         55.2MB
fedora                                 latest              b3048463dcef        6 weeks ago         175MB
gcr.io/knative-samples/helloworld-go   latest              7de72db4aca7        2 years ago         781MB
[root@ip-192-168-114-198 ~]# skopeo copy docker://nara0617/myimage:1.0.0 docker-daemon:localhost/podmanbuilt:latest
Getting image source signatures
Copying blob f6291d888731 done
Copying blob 9e0775ca9a2f done
Copying blob 247a9afb7564 [======================================] 173.0b / 173.0b
Copying config 0989a71c8d done
Writing manifest to image destination
Storing signatures
[root@ip-192-168-114-198 ~]# docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
localhost/fedora-working-container     latest              245f01352d01        18 hours ago        175MB
localhost/podmanbuilt                  latest              0989a71c8dee        20 hours ago        72.9MB
nara0617/hello-python                  latest              c6b350e97471        13 days ago         55.2MB
fedora                                 latest              b3048463dcef        6 weeks ago         175MB
gcr.io/knative-samples/helloworld-go   latest              7de72db4aca7        2 years ago         781MB
[root@ip-192-168-114-198 ~]#

반대로 위와 같이 local repository로도 가져올 수 있다.

[root@ip-192-168-114-198 ~]# skopeo copy docker://nara0617/myimage:1.0.0 docker://nara0617/myimage:1.0.1
Getting image source signatures
Copying blob f6291d888731 skipped: already exists
Copying blob 247a9afb7564 skipped: already exists
Copying blob 9e0775ca9a2f [--------------------------------------] 0.0b / 0.0b
Copying config 0989a71c8d [--------------------------------------] 0.0b / 2.6KiB
Writing manifest to image destination
Storing signatures
[root@ip-192-168-114-198 ~]#

Docker Repository 간의 이동 역시 한번의 명령으로 손쉽게 처리할 수 있다.
이를 CI Pipeline에 녹인다면 다음과 같이 Stage를 처리할 수 있다.

stage('Promote Images') {
	steps {
		script {
			sh "skopeo login docker.io -u $DOCKERHUB_ID -p $DOCKERHUB_PW"
			sh "skopeo copy docker://${srcApplicationRef} docker://${destApplicationRef}"
		}
	}
}

skopeo는 container 이미지를 검사하고 레지스트리로부터 pull & push를 수행하는 컨테이너 관리자 역할을 할 수 있다. inspect로 container의 구성을 진단하고, copy & layers는 기존 pull > tag > push를 간략화한 방식이라고 볼 수 있다.

이를 활용하여 다양한 컨테이너 이미지 관리 환경 간에 Promotion을 진행하여 관리할 수 있다.


Fully Work Flow

지금까지 살펴본 전체 각 역할별 처리를 기반으로 CI/CD 프로세스에 적용한다면 다음과 같은 PIPELINE을 구성할 수 있을 것이다.

 

 

총 8개의 Step으로 진행되며, 각 스텝에 대해 상세히 다시한번 검토해 보도록 하자.

1. Pull CentOS Image

(podman pull IMAGE_NAME > skopeo inspect IMAGE_NAME > podman images)

[root@ip-192-168-114-198 ~]# podman pull centos
Resolved short name "centos" to a recorded short-name alias (origin: /etc/containers/registries.conf.d/shortnames.conf)
Trying to pull registry.centos.org/centos:latest...
Getting image source signatures
Copying blob 926a85fb4806 done
Copying config 2f3766df23 done
Writing manifest to image destination
Storing signatures
2f3766df23b6b238987b29a0cec50a9974f97948ea2e6569035d374289ca2da2
[root@ip-192-168-114-198 ~]# skopeo inspect docker://centos
{
    "Name": "docker.io/library/centos",
    "Digest": "sha256:5528e8b1b1719d34604c87e11dcd1c0a20bedf46e83b5632cdeac91b8c04efc1",
    "RepoTags": [
        "5.11",
        "5",
        "6.10",
        "6.6",
        "6.7",
        "6.8",
        "6.9",
        "6",
        "7.0.1406",
        "7.1.1503",
        "7.2.1511",
        "7.3.1611",
        "7.4.1708",
        "7.5.1804",
        "7.6.1810",
        "7.7.1908",
        "7.8.2003",
        "7.9.2009",
        "7",
        "8.1.1911",
        "8.2.2004",
        "8.3.2011",
        "8",
        "centos5.11",
        "centos5",
        "centos6.10",
        "centos6.6",
        "centos6.7",
        "centos6.8",
        "centos6.9",
        "centos6",
        "centos7.0.1406",
        "centos7.1.1503",
        "centos7.2.1511",
        "centos7.3.1611",
        "centos7.4.1708",
        "centos7.5.1804",
        "centos7.6.1810",
        "centos7.7.1908",
        "centos7.8.2003",
        "centos7.9.2009",
        "centos7",
        "centos8.1.1911",
        "centos8.2.2004",
        "centos8.3.2011",
        "centos8",
        "latest"
    ],
    "Created": "2020-12-08T00:22:53.076477777Z",
    "DockerVersion": "19.03.12",
    "Labels": {
        "org.label-schema.build-date": "20201204",
        "org.label-schema.license": "GPLv2",
        "org.label-schema.name": "CentOS Base Image",
        "org.label-schema.schema-version": "1.0",
        "org.label-schema.vendor": "CentOS"
    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
        "sha256:7a0437f04f83f084b7ed68ad9c4a4947e12fc4e1b006b38129bac89114ec3621"
    ],
    "Env": [
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    ]
}
[root@ip-192-168-114-198 ~]# podman images
REPOSITORY                            TAG     IMAGE ID      CREATED       SIZE
registry.centos.org/centos            latest  2f3766df23b6  2 weeks ago   217 MB
[root@ip-192-168-114-198 ~]# 

이미지는 podman을 활용하여 가져오고, 이를 skopeo로 inspect를 진행한다.

[root@ip-192-168-114-198 ~]# docker pull centos
Using default tag: latest
latest: Pulling from library/centos
7a0437f04f83: Pull complete
Digest: sha256:5528e8b1b1719d34604c87e11dcd1c0a20bedf46e83b5632cdeac91b8c04efc1
Status: Downloaded newer image for centos:latest
docker.io/library/centos:latest
[root@ip-192-168-114-198 ~]# docker inspect centos
[
    {
        "Id": "sha256:300e315adb2f96afe5f0b2780b87f28ae95231fe3bdd1e16b9ba606307728f55",
        "RepoTags": [
            "centos:latest"
        ],
        "RepoDigests": [
            "centos@sha256:5528e8b1b1719d34604c87e11dcd1c0a20bedf46e83b5632cdeac91b8c04efc1"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2020-12-08T00:22:53.076477777Z",
        "Container": "395e0bfa7301f73bc994efe15099ea56b8836c608dd32614ac5ae279976d33e4",
        "ContainerConfig": {
            "Hostname": "395e0bfa7301",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Cmd": [
                "/bin/sh",
                "-c",
                "#(nop) ",
                "CMD [\"/bin/bash\"]"
            ],
            "Image": "sha256:6de05bdfbf9a9d403458d10de9e088b6d93d971dd5d48d18b4b6758f4554f451",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": {
                "org.label-schema.build-date": "20201204",
                "org.label-schema.license": "GPLv2",
                "org.label-schema.name": "CentOS Base Image",
                "org.label-schema.schema-version": "1.0",
                "org.label-schema.vendor": "CentOS"
            }
        },
        "DockerVersion": "19.03.12",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Cmd": [
                "/bin/bash"
            ],
            "Image": "sha256:6de05bdfbf9a9d403458d10de9e088b6d93d971dd5d48d18b4b6758f4554f451",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": {
                "org.label-schema.build-date": "20201204",
                "org.label-schema.license": "GPLv2",
                "org.label-schema.name": "CentOS Base Image",
                "org.label-schema.schema-version": "1.0",
                "org.label-schema.vendor": "CentOS"
            }
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 209348104,
        "VirtualSize": 209348104,
        "GraphDriver": {
            "Data": {
                "MergedDir": "/var/lib/docker/overlay2/b00d5e71c0d806b0e6ea37e6cea7ec64752b5fde9c715dee78e070132a5cac8d/merged",
                "UpperDir": "/var/lib/docker/overlay2/b00d5e71c0d806b0e6ea37e6cea7ec64752b5fde9c715dee78e070132a5cac8d/diff",
                "WorkDir": "/var/lib/docker/overlay2/b00d5e71c0d806b0e6ea37e6cea7ec64752b5fde9c715dee78e070132a5cac8d/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:2653d992f4ef2bfd27f94db643815aa567240c37732cae1405ad1c1309ee9859"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]
[root@ip-192-168-114-198 ~]# docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
centos                                 latest              300e315adb2f        3 weeks ago         209MB
[root@ip-192-168-114-198 ~]#

skopeo inspect는 docker inspect와 다르게 모든 태그를 함께 보여준다는 이점이 있다.

2. buildah build

(Dockerfile 작성 > buildah bud > podman run > podman exec)

[root@ip-192-168-114-198 ~]# curl -s -o Dockerfile https://raw.githubusercontent.com/ajacocks/Dockerfile_fedora-postgres/master/Dockerfile_fedora-postgres
[root@ip-192-168-114-198 ~]# cat Dockerfile
FROM docker.io/library/fedora:latest
MAINTAINER alexander@redhat.com
RUN yum install -y postgresql-server
USER postgres
RUN /bin/initdb -D /var/lib/pgsql/data
RUN /usr/bin/pg_ctl start -D /var/lib/pgsql/data -s -o "-p 5432" -w -t 300 &&\
                /bin/psql --command "CREATE USER docker WITH SUPERUSER PASSWORD 'docker';" &&\
                /bin/createdb -O docker docker
RUN echo "host all  all    0.0.0.0/0  md5" >> /var/lib/pgsql/data/pg_hba.conf
RUN echo "listen_addresses='*'" >> /var/lib/pgsql/data/postgresql.conf
EXPOSE 5432
CMD ["/bin/postgres", "-D", "/var/lib/pgsql/data", "-c", "config_file=/var/lib/pgsql/data/postgresql.conf"]
[root@ip-192-168-114-198 ~]# mkdir build; mv Dockerfile build/Dockerfile; cd build
[root@ip-192-168-114-198 build]# buildah bud -t fedora_postgresql .
STEP 1: FROM docker.io/library/fedora:latest
STEP 2: MAINTAINER alexander@redhat.com
STEP 3: RUN yum install -y postgresql-server
Fedora 33 openh264 (From Cisco) - x86_64        2.2 kB/s | 2.5 kB     00:01
Fedora Modular 33 - x86_64                      2.2 MB/s | 3.3 MB     00:01
Fedora Modular 33 - x86_64 - Updates            1.6 MB/s | 2.9 MB     00:01
Fedora 33 - x86_64 - Updates                    4.2 MB/s |  20 MB     00:04
Fedora 33 - x86_64                              2.1 MB/s |  72 MB     00:34
Dependencies resolved.
================================================================================
 Package                    Arch       Version                Repository   Size
================================================================================
Installing:
 postgresql-server          x86_64     12.4-3.fc33            updates     5.8 M
Installing dependencies:
 acl                        x86_64     2.2.53-9.fc33          fedora       72 k
 cryptsetup-libs            x86_64     2.3.4-1.fc33           fedora      476 k
 dbus                       x86_64     1:1.12.20-2.fc33       fedora      9.9 k
 dbus-broker                x86_64     24-1.fc33              fedora      169 k
 dbus-common                noarch     1:1.12.20-2.fc33       fedora       17 k
 device-mapper              x86_64     1.02.173-1.fc33        fedora      142 k
 device-mapper-libs         x86_64     1.02.173-1.fc33        fedora      178 k
 hwdata                     noarch     0.341-1.fc33           updates     1.4 M
 iptables-libs              x86_64     1.8.5-4.fc33           updates     367 k
 kmod-libs                  x86_64     27-3.fc33              fedora       63 k
 libargon2                  x86_64     20171227-5.fc33        fedora       29 k
 libcbor                    x86_64     0.5.0-7.fc33           fedora       46 k
 libfido2                   x86_64     1.4.0-3.fc33           fedora       66 k
 libibverbs                 x86_64     32.0-1.fc33            updates     333 k
 libicu                     x86_64     67.1-4.fc33            fedora      9.7 M
 libmnl                     x86_64     1.0.4-12.fc33          fedora       28 k
 libnetfilter_conntrack     x86_64     1.0.7-5.fc33           fedora       62 k
 libnfnetlink               x86_64     1.0.1-18.fc33          fedora       29 k
 libnl3                     x86_64     3.5.0-5.fc33           fedora      325 k
 libpcap                    x86_64     14:1.9.1-6.fc33        updates     173 k
 libpq                      x86_64     12.4-1.fc33            fedora      207 k
 libseccomp                 x86_64     2.5.0-3.fc33           fedora       72 k
 pciutils                   x86_64     3.6.4-2.fc33           fedora       90 k
 pciutils-libs              x86_64     3.6.4-2.fc33           fedora       41 k
 postgresql                 x86_64     12.4-3.fc33            updates     1.4 M
 qrencode-libs              x86_64     4.0.2-6.fc33           fedora       60 k
 rdma-core                  x86_64     32.0-1.fc33            updates      56 k
 systemd                    x86_64     246.6-3.fc33           fedora      4.0 M
 systemd-pam                x86_64     246.6-3.fc33           fedora      308 k
 systemd-rpm-macros         noarch     246.6-3.fc33           fedora       29 k
 xkeyboard-config           noarch     2.30-3.fc33            fedora      749 k
Installing weak dependencies:
 diffutils                  x86_64     3.7-7.fc33             updates     390 k
 libxkbcommon               x86_64     1.0.1-1.fc33           fedora      134 k
 systemd-networkd           x86_64     246.6-3.fc33           fedora      467 k

Transaction Summary
================================================================================
Install  35 Packages

Total download size: 28 M
Installed size: 100 M
Downloading Packages:
(1/35): iptables-libs-1.8.5-4.fc33.x86_64.rpm   8.4 MB/s | 367 kB     00:00
(2/35): hwdata-0.341-1.fc33.noarch.rpm           22 MB/s | 1.4 MB     00:00
(3/35): libibverbs-32.0-1.fc33.x86_64.rpm       7.7 MB/s | 333 kB     00:00
(4/35): diffutils-3.7-7.fc33.x86_64.rpm         256 kB/s | 390 kB     00:01
(5/35): libpcap-1.9.1-6.fc33.x86_64.rpm         112 kB/s | 173 kB     00:01
(6/35): rdma-core-32.0-1.fc33.x86_64.rpm        6.0 MB/s |  56 kB     00:00
(7/35): postgresql-server-12.4-3.fc33.x86_64.rp 5.3 MB/s | 5.8 MB     00:01
(8/35): acl-2.2.53-9.fc33.x86_64.rpm             68 kB/s |  72 kB     00:01
(9/35): dbus-1.12.20-2.fc33.x86_64.rpm           45 kB/s | 9.9 kB     00:00
(10/35): dbus-broker-24-1.fc33.x86_64.rpm       188 kB/s | 169 kB     00:00
(11/35): cryptsetup-libs-2.3.4-1.fc33.x86_64.rp 283 kB/s | 476 kB     00:01
(12/35): dbus-common-1.12.20-2.fc33.noarch.rpm   20 kB/s |  17 kB     00:00
(13/35): device-mapper-libs-1.02.173-1.fc33.x86 388 kB/s | 178 kB     00:00
(14/35): kmod-libs-27-3.fc33.x86_64.rpm         239 kB/s |  63 kB     00:00
(15/35): device-mapper-1.02.173-1.fc33.x86_64.r 107 kB/s | 142 kB     00:01
(16/35): libargon2-20171227-5.fc33.x86_64.rpm    34 kB/s |  29 kB     00:00
(17/35): libcbor-0.5.0-7.fc33.x86_64.rpm         72 kB/s |  46 kB     00:00
(18/35): libfido2-1.4.0-3.fc33.x86_64.rpm       289 kB/s |  66 kB     00:00
(19/35): libmnl-1.0.4-12.fc33.x86_64.rpm         33 kB/s |  28 kB     00:00
(20/35): libnetfilter_conntrack-1.0.7-5.fc33.x8  97 kB/s |  62 kB     00:00
(21/35): libnfnetlink-1.0.1-18.fc33.x86_64.rpm   68 kB/s |  29 kB     00:00
(22/35): libicu-67.1-4.fc33.x86_64.rpm          3.3 MB/s | 9.7 MB     00:02
(23/35): libnl3-3.5.0-5.fc33.x86_64.rpm         219 kB/s | 325 kB     00:01
(24/35): libseccomp-2.5.0-3.fc33.x86_64.rpm     326 kB/s |  72 kB     00:00
(25/35): postgresql-12.4-3.fc33.x86_64.rpm      148 kB/s | 1.4 MB     00:10
(26/35): libxkbcommon-1.0.1-1.fc33.x86_64.rpm   586 kB/s | 134 kB     00:00
(27/35): pciutils-3.6.4-2.fc33.x86_64.rpm       406 kB/s |  90 kB     00:00
(28/35): libpq-12.4-1.fc33.x86_64.rpm           140 kB/s | 207 kB     00:01
(29/35): pciutils-libs-3.6.4-2.fc33.x86_64.rpm   64 kB/s |  41 kB     00:00
(30/35): qrencode-libs-4.0.2-6.fc33.x86_64.rpm   58 kB/s |  60 kB     00:01
(31/35): systemd-246.6-3.fc33.x86_64.rpm        2.1 MB/s | 4.0 MB     00:01
(32/35): systemd-networkd-246.6-3.fc33.x86_64.r 269 kB/s | 467 kB     00:01
(33/35): systemd-pam-246.6-3.fc33.x86_64.rpm    209 kB/s | 308 kB     00:01
(34/35): systemd-rpm-macros-246.6-3.fc33.noarch 131 kB/s |  29 kB     00:00
(35/35): xkeyboard-config-2.30-3.fc33.noarch.rp 1.5 MB/s | 749 kB     00:00
--------------------------------------------------------------------------------
Total                                           1.9 MB/s |  28 MB     00:14
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Installing       : libpq-12.4-1.fc33.x86_64                              1/35
  Installing       : libnl3-3.5.0-5.fc33.x86_64                            2/35
  Installing       : kmod-libs-27-3.fc33.x86_64                            3/35
  Installing       : postgresql-12.4-3.fc33.x86_64                         4/35
  Installing       : xkeyboard-config-2.30-3.fc33.noarch                   5/35
  Installing       : libxkbcommon-1.0.1-1.fc33.x86_64                      6/35
  Installing       : systemd-rpm-macros-246.6-3.fc33.noarch                7/35
  Installing       : qrencode-libs-4.0.2-6.fc33.x86_64                     8/35
  Installing       : pciutils-libs-3.6.4-2.fc33.x86_64                     9/35
  Installing       : libseccomp-2.5.0-3.fc33.x86_64                       10/35
  Installing       : libnfnetlink-1.0.1-18.fc33.x86_64                    11/35
  Installing       : libmnl-1.0.4-12.fc33.x86_64                          12/35
  Installing       : libnetfilter_conntrack-1.0.7-5.fc33.x86_64           13/35
  Installing       : libicu-67.1-4.fc33.x86_64                            14/35
  Installing       : libcbor-0.5.0-7.fc33.x86_64                          15/35
  Installing       : libfido2-1.4.0-3.fc33.x86_64                         16/35
  Installing       : libargon2-20171227-5.fc33.x86_64                     17/35
  Installing       : acl-2.2.53-9.fc33.x86_64                             18/35
  Installing       : hwdata-0.341-1.fc33.noarch                           19/35
  Installing       : pciutils-3.6.4-2.fc33.x86_64                         20/35
  Installing       : rdma-core-32.0-1.fc33.x86_64                         21/35
  Running scriptlet: rdma-core-32.0-1.fc33.x86_64                         21/35
  Installing       : libibverbs-32.0-1.fc33.x86_64                        22/35
  Installing       : libpcap-14:1.9.1-6.fc33.x86_64                       23/35
  Installing       : iptables-libs-1.8.5-4.fc33.x86_64                    24/35
  Installing       : diffutils-3.7-7.fc33.x86_64                          25/35
  Installing       : device-mapper-1.02.173-1.fc33.x86_64                 26/35
  Installing       : device-mapper-libs-1.02.173-1.fc33.x86_64            27/35
  Installing       : cryptsetup-libs-2.3.4-1.fc33.x86_64                  28/35
  Installing       : dbus-1:1.12.20-2.fc33.x86_64                         29/35
  Installing       : systemd-networkd-246.6-3.fc33.x86_64                 30/35
  Installing       : systemd-pam-246.6-3.fc33.x86_64                      31/35
  Running scriptlet: systemd-246.6-3.fc33.x86_64                          32/35
  Installing       : systemd-246.6-3.fc33.x86_64                          32/35
  Running scriptlet: systemd-246.6-3.fc33.x86_64                          32/35
ln: failed to create symbolic link '/etc/resolv.conf': Device or resource busy
warning: %post(systemd-246.6-3.fc33.x86_64) scriptlet failed, exit status 1

Error in POSTIN scriptlet in rpm package systemd
  Installing       : dbus-common-1:1.12.20-2.fc33.noarch                  33/35
  Running scriptlet: dbus-common-1:1.12.20-2.fc33.noarch                  33/35
Created symlink /etc/systemd/system/sockets.target.wants/dbus.socket → /usr/lib/systemd/system/dbus.socket.
Created symlink /etc/systemd/user/sockets.target.wants/dbus.socket → /usr/lib/systemd/user/dbus.socket.

  Running scriptlet: dbus-broker-24-1.fc33.x86_64                         34/35
  Installing       : dbus-broker-24-1.fc33.x86_64                         34/35
  Running scriptlet: dbus-broker-24-1.fc33.x86_64                         34/35
Created symlink /etc/systemd/system/dbus.service → /usr/lib/systemd/system/dbus-broker.service.
Created symlink /etc/systemd/user/dbus.service → /usr/lib/systemd/user/dbus-broker.service.

  Running scriptlet: postgresql-server-12.4-3.fc33.x86_64                 35/35
  Installing       : postgresql-server-12.4-3.fc33.x86_64                 35/35
  Running scriptlet: postgresql-server-12.4-3.fc33.x86_64                 35/35
  Verifying        : diffutils-3.7-7.fc33.x86_64                           1/35
  Verifying        : hwdata-0.341-1.fc33.noarch                            2/35
  Verifying        : iptables-libs-1.8.5-4.fc33.x86_64                     3/35
  Verifying        : libibverbs-32.0-1.fc33.x86_64                         4/35
  Verifying        : libpcap-14:1.9.1-6.fc33.x86_64                        5/35
  Verifying        : postgresql-12.4-3.fc33.x86_64                         6/35
  Verifying        : postgresql-server-12.4-3.fc33.x86_64                  7/35
  Verifying        : rdma-core-32.0-1.fc33.x86_64                          8/35
  Verifying        : acl-2.2.53-9.fc33.x86_64                              9/35
  Verifying        : cryptsetup-libs-2.3.4-1.fc33.x86_64                  10/35
  Verifying        : dbus-1:1.12.20-2.fc33.x86_64                         11/35
  Verifying        : dbus-broker-24-1.fc33.x86_64                         12/35
  Verifying        : dbus-common-1:1.12.20-2.fc33.noarch                  13/35
  Verifying        : device-mapper-1.02.173-1.fc33.x86_64                 14/35
  Verifying        : device-mapper-libs-1.02.173-1.fc33.x86_64            15/35
  Verifying        : kmod-libs-27-3.fc33.x86_64                           16/35
  Verifying        : libargon2-20171227-5.fc33.x86_64                     17/35
  Verifying        : libcbor-0.5.0-7.fc33.x86_64                          18/35
  Verifying        : libfido2-1.4.0-3.fc33.x86_64                         19/35
  Verifying        : libicu-67.1-4.fc33.x86_64                            20/35
  Verifying        : libmnl-1.0.4-12.fc33.x86_64                          21/35
  Verifying        : libnetfilter_conntrack-1.0.7-5.fc33.x86_64           22/35
  Verifying        : libnfnetlink-1.0.1-18.fc33.x86_64                    23/35
  Verifying        : libnl3-3.5.0-5.fc33.x86_64                           24/35
  Verifying        : libpq-12.4-1.fc33.x86_64                             25/35
  Verifying        : libseccomp-2.5.0-3.fc33.x86_64                       26/35
  Verifying        : libxkbcommon-1.0.1-1.fc33.x86_64                     27/35
  Verifying        : pciutils-3.6.4-2.fc33.x86_64                         28/35
  Verifying        : pciutils-libs-3.6.4-2.fc33.x86_64                    29/35
  Verifying        : qrencode-libs-4.0.2-6.fc33.x86_64                    30/35
  Verifying        : systemd-246.6-3.fc33.x86_64                          31/35
  Verifying        : systemd-networkd-246.6-3.fc33.x86_64                 32/35
  Verifying        : systemd-pam-246.6-3.fc33.x86_64                      33/35
  Verifying        : systemd-rpm-macros-246.6-3.fc33.noarch               34/35
  Verifying        : xkeyboard-config-2.30-3.fc33.noarch                  35/35

Installed:
  acl-2.2.53-9.fc33.x86_64
  cryptsetup-libs-2.3.4-1.fc33.x86_64
  dbus-1:1.12.20-2.fc33.x86_64
  dbus-broker-24-1.fc33.x86_64
  dbus-common-1:1.12.20-2.fc33.noarch
  device-mapper-1.02.173-1.fc33.x86_64
  device-mapper-libs-1.02.173-1.fc33.x86_64
  diffutils-3.7-7.fc33.x86_64
  hwdata-0.341-1.fc33.noarch
  iptables-libs-1.8.5-4.fc33.x86_64
  kmod-libs-27-3.fc33.x86_64
  libargon2-20171227-5.fc33.x86_64
  libcbor-0.5.0-7.fc33.x86_64
  libfido2-1.4.0-3.fc33.x86_64
  libibverbs-32.0-1.fc33.x86_64
  libicu-67.1-4.fc33.x86_64
  libmnl-1.0.4-12.fc33.x86_64
  libnetfilter_conntrack-1.0.7-5.fc33.x86_64
  libnfnetlink-1.0.1-18.fc33.x86_64
  libnl3-3.5.0-5.fc33.x86_64
  libpcap-14:1.9.1-6.fc33.x86_64
  libpq-12.4-1.fc33.x86_64
  libseccomp-2.5.0-3.fc33.x86_64
  libxkbcommon-1.0.1-1.fc33.x86_64
  pciutils-3.6.4-2.fc33.x86_64
  pciutils-libs-3.6.4-2.fc33.x86_64
  postgresql-12.4-3.fc33.x86_64
  postgresql-server-12.4-3.fc33.x86_64
  qrencode-libs-4.0.2-6.fc33.x86_64
  rdma-core-32.0-1.fc33.x86_64
  systemd-246.6-3.fc33.x86_64
  systemd-networkd-246.6-3.fc33.x86_64
  systemd-pam-246.6-3.fc33.x86_64
  systemd-rpm-macros-246.6-3.fc33.noarch
  xkeyboard-config-2.30-3.fc33.noarch

Complete!
STEP 4: USER postgres
STEP 5: RUN /bin/initdb -D /var/lib/pgsql/data
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "C".
The default database encoding has accordingly been set to "SQL_ASCII".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/pgsql/data ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... Etc/UTC
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    /bin/pg_ctl -D /var/lib/pgsql/data -l logfile start

STEP 6: RUN /usr/bin/pg_ctl start -D /var/lib/pgsql/data -s -o "-p 5432" -w -t 300 &&                /bin/psql --command "CREATE USER docker WITH SUPERUSER PASSWORD 'docker';" &&                /bin/createdb -O docker docker
2020-12-30 06:27:01.868 UTC [8] LOG:  starting PostgreSQL 12.4 on x86_64-redhat-linux-gnu, compiled by gcc (GCC) 10.2.1 20200826 (Red Hat 10.2.1-3), 64-bit
2020-12-30 06:27:01.869 UTC [8] LOG:  listening on IPv4 address "127.0.0.1", port 5432
2020-12-30 06:27:01.875 UTC [8] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2020-12-30 06:27:01.877 UTC [8] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5432"
2020-12-30 06:27:01.890 UTC [8] LOG:  redirecting log output to logging collector process
2020-12-30 06:27:01.890 UTC [8] HINT:  Future log output will appear in directory "log".
CREATE ROLE
STEP 7: RUN echo "host all  all    0.0.0.0/0  md5" >> /var/lib/pgsql/data/pg_hba.conf
STEP 8: RUN echo "listen_addresses='*'" >> /var/lib/pgsql/data/postgresql.conf
STEP 9: EXPOSE 5432
STEP 10: CMD ["/bin/postgres", "-D", "/var/lib/pgsql/data", "-c", "config_file=/var/lib/pgsql/data/postgresql.conf"]
STEP 11: COMMIT fedora_postgresql
ERRO Can't add file /var/lib/containers/storage/overlay/2ec1e57fc66975c98f91211226ca3d67b9998825a477fd7ac491ea3519f2c469/diff/run/postgresql/.s.PGSQL.5432 to tar: archive/tar: sockets not supported
ERRO Can't add file /var/lib/containers/storage/overlay/2ec1e57fc66975c98f91211226ca3d67b9998825a477fd7ac491ea3519f2c469/diff/tmp/.s.PGSQL.5432 to tar: archive/tar: sockets not supported
Getting image source signatures
Copying blob ed0c36ccfcbe skipped: already exists
Copying blob 923ca1312650 done
Copying config fa1d77857a done
Writing manifest to image destination
Storing signatures
--> fa1d77857a8
fa1d77857a81bf978c54f743996284105a7be6fc6bfe1805f80f8e56c82cffb1
[root@ip-192-168-114-198 build]# podman run -d --name fpg fedora_postgresql
98ab8261e40518fec5420a912ac62d66fc48d8fb49ad7e6407886b96a07bf74f
[root@ip-192-168-114-198 build]# podman exec -it fpg psql
psql (12.4)
Type "help" for help.

postgres=# 

buildah로 container image를 생성하고, podman으로 run/exec 등으로 image를 확인하는 과정을 거친다.

3. Container Registry

(podman login > podman images > buildah push or skopeo copy)

[root@ip-192-168-114-198 build]# podman login docker.io -u nara0617 -p dhfhskalsC!
Login Succeeded!
[root@ip-192-168-114-198 build]# podman images
REPOSITORY                            TAG     IMAGE ID      CREATED        SIZE
localhost/fedora_postgresql           latest  fa1d77857a81  4 minutes ago  542 MB
localhost/nara0617/ubuntuechobuildah  latest  c14ac4084845  3 hours ago    75.3 MB
localhost/nara0617/ubuntuecho         latest  a65de8136db3  3 hours ago    75.3 MB
localhost/fedora-working-container    latest  245f01352d01  23 hours ago   181 MB
localhost/podmanbuilt                 latest  0989a71c8dee  25 hours ago   75.3 MB
registry.centos.org/centos            latest  2f3766df23b6  2 weeks ago    217 MB
docker.io/library/ubuntu              latest  f643c72bc252  4 weeks ago    75.3 MB
docker.io/library/fedora              latest  b3048463dcef  6 weeks ago    181 MB
[root@ip-192-168-114-198 build]# buildah push fedora_postgresql:latest nara0617/fedora_postgresql:latest
Getting image source signatures
Copying blob 923ca1312650 done
Copying blob ed0c36ccfcbe skipped: already exists
Copying config fa1d77857a done
Writing manifest to image destination
Storing signatures
[root@ip-192-168-114-198 build]# skopeo copy containers-storage:fa1d77857a81 docker://nara0617/fedora_postgresql:latest
Getting image source signatures
Copying blob 923ca1312650 done
Copying blob ed0c36ccfcbe done
Copying config fa1d77857a [--------------------------------------] 0.0b / 2.7KiB
Writing manifest to image destination
Storing signatures
[root@ip-192-168-114-198 build]#

마지막으로 생성되고 검증된 container image를 podman login으로 push할 registry에 로그인하고, buildah 또는 skopeo로 이미지를 저장소에 push할 수 있다. registry에 push 할 경우 skopeo가 buildah보다 좀 더 구체적으로 구성할 수 있다.


결론

Runtime Container 진영은 결국 Kubernetes에 가장 적합한 CRI는 무엇이냐로 결론지어질 것 같다. 현재까지는 당연히 Docker이고, 이에 이견이 있는 사람은 아직 많지 않을 것이다. 다만, OCI(Open Container Initiative)와 CRI(Container Runtime Interface)가 정의된 이후 Runtime Container를 정의하는 규칙이 생겨 남으로써 하나 둘씩 대안들이 떠오르고 있다. 특히 Docker의 단점을 보완한 버전으로써, 성장하고 있는 Runtime Container가 등장하고 있으며, Docker의 경우 Kubernetes를 위해 개발된 것이 아니라 Kubernetes에서 Docker를 지원하지만, CRI-O의 경우 Kubernetes 만을 위해 성생된 Runtime Container로 CRI-O에서 직접 Kubernetes 호환성을 관리하고 보완하기 한다는 장점이 있다. 또한 Podman, Buildah, Skopeo 등으로 세분화된 Low Level Container 컴포넌트를 활용하면 훌륭한 Docker의 대안으로써 성장하지 않을까 싶다.

728x90
반응형