Podman是一个开源的容器运行时项目,提供与Docker相似的功能,可以管理和运行任何符合OCI规范的容器和镜像。Podman提供了一个与Docker兼容的命令行前端来管理容器镜像。其主要的优点有:

  1. 无根模式运行,没有任何额外特权需要;
  2. 不需要守护进程
  3. 原生systemd集成,允许用户创建systemd单元文件并将容器作为系统服务运行。

2024.11 天津·和平区·解放北路·利顺德大酒店

初始安装

# 部署
[root@podman ~]# dnf install -y podman podman-docker podman-compose
touch /etc/containers/nodocker
[root@podman ~]# podman -v
podman version 5.3.1
# 配置镜像代理
[root@podman ~]# vim /etc/containers/registries.conf
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix="docker.io"
location="docker.1ms.run"
# 重启服务
[root@podman ~]# systemctl enable podman
[root@podman ~]# systemctl restart podman
# 拉取镜像
[root@podman ~]# podman run hello-world
!... Hello Podman World ...!

         .--"--.           
       / -     - \         
      / (O)   (O) \        
   ~~~| -=(,Y,)=- |         
    .---. /`  \   |~~      
 ~/  o  o \~~~~.----. ~~   
  | =(X)= |~  / (O (O) \   
   ~~~~~~~  ~| =(Y_)=-  |   
  ~~~~    ~~~|   U      |~~ 

Project:   https://github.com/containers/podman
Website:   https://podman.io
Desktop:   https://podman-desktop.io
Documents: https://docs.podman.io
YouTube:   https://youtube.com/@Podman
X/Twitter: @Podman_io
Mastodon:  @Podman_io@fosstodon.org

使用管理

# 交互式运行容器
[root@podman ~]# podman run -it ubuntu /bin/bash
root@b6089f227b55:/# 

# 容器后台运行
[root@podman ~]# podman run -itd --name ubuntu_test ubuntu /bin/bash
36811becd0b716687bc8e5ab0c6c29cd64ee159ceac1d2f7b7a685e69f7b7ea1
[root@podman ~]# podman ps
CONTAINER ID  IMAGE                            COMMAND     CREATED         STATUS         PORTS       NAMES
36811becd0b7  docker.io/library/ubuntu:latest  /bin/bash   11 seconds ago  Up 12 seconds              ubuntu_test

# 使用容器ID进入容器
[root@podman ~]# podman exec -it 368 /bin/bash
root@36811becd0b7:/# 

# 启动容器
[root@podman ~]# podman start ubuntu_test
ubuntu_test
# 停止容器
[root@podman ~]# podman stop ubuntu_test
WARN[0010] StopSignal SIGTERM failed to stop container ubuntu_test in 10 seconds, resorting to SIGKILL 
ubuntu_test
# 重启容器
[root@podman ~]# podman restart ubuntu_test
ubuntu_test
# 删除容器
[root@podman ~]# podman rm -f ubuntu_test
WARN[0010] StopSignal SIGTERM failed to stop container ubuntu_test in 10 seconds, resorting to SIGKILL 
ubuntu_test
# 删除所有容器
[root@podman ~]# podman rm -f $(podman ps -aq)
b6089f227b55
155c6d4d9fae
115938151fc0
1395177f65e0
c1f9a18de6bd

# 查看pod属性
[root@podman ~]# podman inspect ubuntu_test
[
     {
          "Id": "98f6fb407b3cf7d3c4094ead7df7a3e1b45151bd88b2ff0df48e065476a8286c",
          "Created": "2025-01-15T21:11:54.305532006+08:00",
          "Path": "/bin/bash",
          "Args": [
               "/bin/bash"
          ],
          "State": {
               "OciVersion": "1.2.0",
               "Status": "running",
               "Running": true,
               "Paused": false,
               "Restarting": false,
               "OOMKilled": false,
               "Dead": false,
               "Pid": 5638,
               "ConmonPid": 5636,
               "ExitCode": 0,
               "Error": "",
               "StartedAt": "2025-01-15T21:11:54.565491536+08:00",
               "FinishedAt": "0001-01-01T00:00:00Z",
               "CgroupPath": "/machine.slice/libpod-98f6fb407b3cf7d3c4094ead7df7a3e1b45151bd88b2ff0df48e065476a8286c.scope",
               "CheckpointedAt": "0001-01-01T00:00:00Z",
               "RestoredAt": "0001-01-01T00:00:00Z"
          },
          "Image": "b1d9df8ab81559494794e522b380878cf9ba82d4c1fb67293bcf931c3aa69ae4",
          "ImageDigest": "sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab",
          "ImageName": "docker.io/library/ubuntu:latest",
          "Rootfs": "",
          "Pod": "",

# 从宿主机向容器复制文件
[root@podman ~]# cat helloworld.txt 
Hello World!
[root@podman ~]# podman cp helloworld.txt ubuntu_test:/home
[root@podman ~]# podman exec -it ubuntu_test /bin/bash
root@98f6fb407b3c:/# cd /home/
root@98f6fb407b3c:/home# ls
helloworld.txt  ubuntu
root@98f6fb407b3c:/home# cat helloworld.txt 
Hello World!

# 从容器向宿主机复制文件
root@98f6fb407b3c:/home# mv helloworld.txt OneWorld.txt
[root@podman ~]# podman cp ubuntu_test:/home/OneWorld.txt /tmp
[root@podman ~]# cat /tmp/OneWorld.txt 
Hello World!

# 资源限制,限制使用1核cpu,2GB内存
podman run --cpus=1 -m=2g --name nginx -d docker.io/library/nginx
Trying to pull docker.io/library/nginx:latest...

[root@podman ~]# podman stats
ID            NAME        CPU %       MEM USAGE / LIMIT  MEM %       NET IO          BLOCK IO           PIDS        CPU TIME    AVG CPU %
070a8c63fb69  nginx       0.00%       1.884MB / 2.147GB  0.09%       1.726kB / 838B  8.192kB / 20.48kB  2           15.93ms     0.02%

镜像管理

# 拉取镜像
[root@podman ~]# podman pull node:22-alpine

# 查看已有镜像
[root@podman ~]# podman images
REPOSITORY                 TAG         IMAGE ID      CREATED        SIZE
docker.io/library/node     22-alpine   546c0b137912  10 days ago    161 MB
docker.io/library/nginx    latest      9bea9f2796e2  7 weeks ago    196 MB
docker.io/library/ubuntu   latest      b1d9df8ab815  8 weeks ago    80.6 MB
docker.io/library/busybox  latest      af4709625109  3 months ago   4.52 MB
docker.io/traefik/whoami   latest      aeef15490f2b  4 months ago   7.01 MB
quay.io/podman/hello       latest      5dd467fce50b  7 months ago   787 kB

# 删除镜像
[root@podman ~]# podman rmi 5dd
Untagged: quay.io/podman/hello:latest
Deleted: 5dd467fce50b56951185da365b5feee75409968cbab5767b9b59e325fb2ecbc0

# 生成镜像
[root@podman ~]# podman run -it ubuntu:24.04 
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:24.04...
Getting image source signatures
Copying blob de44b265507a skipped: already exists  
Copying config b1d9df8ab8 done   | 
Writing manifest to image destination
root@3f5c2dbde6c0:/# apt update && apt upgrade -y && apt install vim
root@3f5c2dbde6c0:/# exit

# podman不支持-m参数
[root@podman ~]# podman commit -a "sujx@live.cn" 3f5c2 ubuntu:24.04.1
Getting image source signatures
Copying blob 687d50f2f6a6 skipped: already exists  
Copying blob 01b59003fab2 done   | 
Copying config 4c10e10b43 done   | 
Writing manifest to image destination
4c10e10b437b46c62f3175097dce553d01ef3b9ec4a390c68da35b93a2e42b44

[root@podman ~]# podman images
REPOSITORY                    TAG         IMAGE ID      CREATED         SIZE
localhost/ubuntu              24.04.1     4c10e10b437b  21 seconds ago  199 MB

自定义镜像

# 创建Podmanfile
[root@podman ~]# cat > ./Podmanfile <<EOF
FROM node:22-alpine
MAINTAINER sujx@live.cn
EXPOSE 4000

RUN npm config set registry https://registry.npmmirror.com \
&& npm install -g hexo-cli --save \
&& mkdir /opt/blog \
&& cd /opt \
&& hexo init blog \
&& cd /opt/blog \
&& npm install hexo-renderer-pug hexo-renderer-stylus --save \
&& npm install hexo-wordcount --save \
&& npm install hexo-douban --save \
&& npm install hexo-generator-sitemap --save \
&& npm install hexo-generator-feed --save \
&& npm install hexo-generator-baidu-sitemap --save\
&& npm install hexo-generator-searchdb --save \
&& npm install hexo-theme-butterfly --save \
&& npm install hexo-butterfly-extjs --save \
&& npm install hexo-butterfly-tag-plugins-plus --save \
&& npm install hexo-pdf --save \
&& npm install hexo-deployer-git --save \
&& npm install hexo-deployer-ali-oss --save \
&& npm uninstall hexo-generator-index --save \
&& npm install hexo-generator-index-pin-top --save \
&& npm install hexo-asset-image --save

CMD cd /opt/blog && hexo clean && hexo g && hexo server
EOF

[root@podman ~]# podman build -f Podmanfile -t hexo:v1
[root@podman ~]# podman images
REPOSITORY                    TAG         IMAGE ID      CREATED         SIZE
localhost/hexo                v1          5a535420cf24  6 minutes ago   962 MB

容器网络

端口暴露

# 端口暴露
[root@podman ~]# podman run -itd --name busybox-test -p80 busybox
b02b05b1881f8aa0cbca93f905a6559729e0a5c0e3be69adae2877d146579143
[root@podman ~]# podman ps
CONTAINER ID  IMAGE                             COMMAND     CREATED        STATUS        PORTS                  NAMES
b02b05b1881f  docker.io/library/busybox:latest  sh          5 seconds ago  Up 6 seconds  0.0.0.0:38171->80/tcp  busybox-test
[root@podman ~]# podman exec -it b02 /bin/sh
/ # cd /var/
/var # ls
spool  www
/var # httpd -h www
/var # netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 :::80                   :::*                    LISTEN      5/httpd

# 端口映射,把容器的端口映射为宿主机的一个特定或者随机端口,使得外部用户可以访问服务器内部服务,其原理是在容器底层做了iptables的地址转发,转出的流量做SNAT源地址转发,转入的流量做DNAT目标地址转发。

# 指定端口转发
[root@podman ~]# podman run -itd --name myipaddr -p 80:80 traefik/whoami
bbcc67b5fb1ce98b51335755c13498e87ace3da420b5a430001738cb27768e28
[root@podman ~]# curl 127.0.0.1
Hostname: bbcc67b5fb1c
IP: 127.0.0.1
IP: ::1
IP: 10.88.0.5
IP: fe80::c79:daff:fe48:4cb8
RemoteAddr: 10.88.0.1:55560
GET / HTTP/1.1
Host: 127.0.0.1
User-Agent: curl/8.6.0
Accept: */*

网络架构

Podman的网络架构有4种模式:

  1. 桥接模式(默认)
  2. non模式(仅本地回环)
# 桥接模式(默认)
[root@podman ~]# podman inspect myipaddr |grep IPAdd*
               "IPAddress": "10.88.0.5",
                         "IPAddress": "10.88.0.5",
                         
# none模式(仅本地回环)
[root@podman ~]# podman run -d --name=network-none --net=none nginx
539143ba161c73617ac1fd15e74a599753a71ce9658326bc5b8ebacaae114b86
[root@podman ~]# podman inspect 539143 |grep IPAdd*
               "IPAddress": "",
                         "IPAddress": "",

# host模式,容器使用当前主机IP
root@podman ~]# podman run --network=host nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2025/01/18 16:47:15 [notice] 1#1: using the "epoll" event method
2025/01/18 16:47:15 [notice] 1#1: nginx/1.27.3
2025/01/18 16:47:15 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14) 
2025/01/18 16:47:15 [notice] 1#1: OS: Linux 6.12.9-100.fc40.x86_64
2025/01/18 16:47:15 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2025/01/18 16:47:15 [notice] 1#1: start worker processes
2025/01/18 16:47:15 [notice] 1#1: start worker process 24
127.0.0.1 - - [18/Jan/2025:16:47:22 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/8.6.0" "-"

# container:<id>模式,容器之间共享Network Namespace,荣期间进程通过lo网卡通信
[root@podman ~]# podman run -itd --name bb busybox
365cf25286131e596f3aef54c43fed1b83e5be5ecc5f18e4de98242812f4002d
[root@podman ~]# podman run -d --name nginx --network=container:bb nginx
1287874746dcc6f72158b8fdb1ddf07ba13bdda06bd5a04bfdecaf86426fb927
[root@podman ~]# podman exec -it bb /bin/sh
[root@podman ~]# curl 10.88.0.7
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

网络实现

# 查看网络模式,可以看到名为podman的网桥
[root@podman ~]# podman network ls
NETWORK ID    NAME        DRIVER
2f259bab93aa  podman      bridge
# 查看podman网桥信息
[root@podman ~]# ip a
……
5: podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ca:2c:2d:8d:b8:21 brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.1/16 brd 10.88.255.255 scope global podman0
       valid_lft forever preferred_lft forever
    inet6 fe80::c82c:2dff:fe8d:b821/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
6: veth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether fa:55:23:21:f6:c3 brd ff:ff:ff:ff:ff:ff link-netns netns-0e73c46a-0951-048b-fbc8-5e25f3d52e72
    inet6 fe80::18b5:62ff:fec9:3476/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
# 查看NAT规则
[root@podman ~]# iptables -L -t nat

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
NETAVARK-HOSTPORT-MASQ  all  --  anywhere             anywhere            
NETAVARK-1D8721804F16F  all  --  10.88.0.0/16         anywhere            

Chain NETAVARK-1D8721804F16F (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.88.0.0/16        
MASQUERADE  all  --  anywhere            !base-address.mcast.net/4

本地存储

存储卷

# 将本地web文件夹挂载到容器中,使用本地文件进行存储
podman run -itd -v /root/web:/var/www/html -p 8080:80 httpd

存储容器

# 通过创建多个容器,使用容器来存储数据
[root@podman ~]# podman run -itd --name db_data -v /db_data ubuntu
8e48de5ce3d36803352052643734689b2a2250ef9e3558253342e603b315b94a
[root@podman ~]# podman run -id --name db1 --volumes-from db_data ubuntu
83c227c5c077582cd700862508958d41e0532023ead11c95953aae0c4bc6faef
# 查看存储容器内容
[root@podman ~]# podman exec -it 8e48de /bin/bash
root@8e48de5ce3d3:/# ls
bin  boot  db_data  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@8e48de5ce3d3:/# ls db_data/
root@8e48de5ce3d3:/# cd db_data/
root@8e48de5ce3d3:/db_data# touch TestDB
root@8e48de5ce3d3:/db_data# exit
exit
# 查看应用容器内容
[root@podman ~]# podman exec -it 83c227 /bin/bash
root@83c227c5c077:/# ls /db_data/
TestDB
root@83c227c5c077:/# exit
exit

# 查看文件实际位置            
[root@podman ~]# ls /var/lib/containers/storage/volumes/84a3b4a00b1557b6754f1ed9633294df117697d1608adc91701b335297caa61f/_data/
TestDB

性能监控

# stats命令 查看当前主机上容器的具体资源占用情况
[root@podman _data]# podman stats 
ID            NAME        CPU %       MEM USAGE / LIMIT  MEM %       NET IO          BLOCK IO          PIDS        CPU TIME    AVG CPU %
8e48de5ce3d3  db_data     0.01%       606.2kB / 4.044GB  0.01%       1.942kB / 978B  9.97MB / 4.096kB  1           29.762ms    0.01%
83c227c5c077  db1         0.00%       241.7kB / 4.044GB  0.01%       1.216kB / 978B  0B / 4.096kB      1           10.716ms    0.00%
# top命令 查看容器内的应用使用情况
[root@podman _data]# podman top 83c22
USER        PID         PPID        %CPU        ELAPSED          TTY         TIME        COMMAND
root        1           0           0.000       7m29.133340188s  ?           0s          /bin/bash