1. Podman简介与版本说明
Podman(Pod Manager)是一个开源的容器引擎,由Red Hat开发维护。与Docker不同,Podman采用无守护进程架构,可以直接以非root用户运行容器,提供了更好的安全性和灵活性。Podman完全兼容Docker CLI命令,可以无缝迁移。更多学习教程www.fgedu.net.cn
Podman最新版本:
Podman 5.1.0 (2024年稳定版)
Podman 5.0.0 (2024年稳定版)
Podman 4.9.0 (2023年稳定版)
Podman 4.8.0 (2023年稳定版)
Podman核心特性:
– 无守护进程(Daemonless)
– 支持非root用户运行(Rootless)
– 直接使用systemd管理容器
– 支持Pod概念(类似Kubernetes)
兼容性:
– 完全兼容Docker CLI命令
– 支持Docker镜像格式
– 支持Docker Compose(通过podman-compose)
– 支持OCI运行时规范
安全特性:
– 用户命名空间隔离
– 支持SELinux策略
– 支持cgroups v2
– 容器权限最小化
2. Podman下载方式
Podman支持多种安装方式,包括包管理器、二进制文件、源码编译等。学习交流加群风哥微信: itpux-com
方式一:RHEL/CentOS/Fedora安装
$ sudo dnf install -y podman
# CentOS 7
$ sudo yum install -y podman
# Fedora
$ sudo dnf install -y podman
# 验证安装
$ podman –version
输出示例如下:
podman version 5.2.0
# 查看详细信息
$ podman info
输出示例如下:
host:
arch: amd64
buildahVersion: 1.35.0
cgroupControllers:
– memory
– pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.10-1.el9.x86_64
path: /usr/bin/conmon
version: ‘conmon version 2.1.10, commit: abc123’
cpus: 8
distribution:
distribution: ‘”centos”‘
version: “9”
eventLogger: journald
hostname: fgedu.net.cn
idMappings:
gidmap: null
uidmap: null
kernel: 5.14.0-362.el9.x86_64
memFree: 33554432
memTotal: 67108864
os: linux
rootless: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.3-1.el9.x86_64
version: |-
slirp4netns version 1.2.3
commit: abc123def456
swapFree: 17179869184
swapTotal: 17179869184
uptime: 72h 30m 15s
方式二:Ubuntu/Debian安装
$ sudo apt-get update
$ sudo apt-get install -y podman
# Debian 12
$ sudo apt-get update
$ sudo apt-get install -y podman
# 验证安装
$ podman –version
输出示例如下:
podman version 5.2.0
方式三:二进制文件安装
$ mkdir -p /fgeudb/software/podman
$ cd /fgeudb/software/podman
# 下载Podman二进制文件
$ wget https://github.com/containers/podman/releases/download/v5.2.0/podman-5.2.0.tar.gz
# 解压
$ tar -zxvf podman-5.2.0.tar.gz
# 安装依赖
$ sudo dnf install -y conmon slirp4netns fuse-overlayfs
# 复制二进制文件
$ sudo cp bin/podman /usr/local/bin/
# 验证安装
$ podman –version
输出示例如下:
podman version 5.2.0
方式四:macOS安装
$ brew install podman
# 初始化Podman机器
$ podman machine init
输出示例如下:
Downloading VM image…
Extracting compressed file…
Image resized.
Machine init complete.
# 启动Podman机器
$ podman machine start
输出示例如下:
Starting machine “podman-machine-default”
This machine is currently configured in “rootless” mode.
Machine “podman-machine-default” started successfully
# 验证安装
$ podman –version
输出示例如下:
podman version 5.2.0
3. Podman安装部署
Podman安装后需要进行基础配置,包括存储配置、网络配置等。学习交流加群风哥QQ113257174
步骤1:安装必要依赖
$ sudo dnf install -y podman podman-docker buildah skopeo
# 安装网络工具
$ sudo dnf install -y slirp4netns fuse-overlayfs
# 安装SELinux工具
$ sudo dnf install -y container-selinux
# 验证安装
$ rpm -qa | grep -E “podman|buildah|skopeo”
输出示例如下:
podman-5.2.0-1.el9.x86_64
podman-docker-5.2.0-1.el9.noarch
buildah-1.35.0-1.el9.x86_64
skopeo-1.15.0-1.el9.x86_64
步骤2:配置存储
$ sudo mkdir -p /etc/containers
# 编辑存储配置
$ sudo vi /etc/containers/storage.conf
[storage]
driver = “overlay”
runroot = “/run/containers/storage”
graphroot = “/var/lib/containers/storage”
[storage.options]
additionalimagestores = [
]
[storage.options.overlay]
mountopt = “nodev,metacopy=on”
# 创建存储目录
$ sudo mkdir -p /var/lib/containers/storage
$ sudo chmod 755 /var/lib/containers/storage
# 验证存储配置
$ podman info | grep -A 10 store
输出示例如下:
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphRoot: /var/lib/containers/storage
步骤3:配置镜像仓库
$ sudo vi /etc/containers/registries.conf
unqualified-search-registries = [“docker.io”, “quay.io”]
[[registry]]
prefix = “docker.io”
location = “docker.io”
[[registry.mirror]]
location = “docker.mirrors.ustc.edu.cn”
[[registry.mirror]]
location = “hub-mirror.c.163.com”
[[registry]]
prefix = “quay.io”
location = “quay.io”
[[registry.mirror]]
location = “quay.mirrors.ustc.edu.cn”
# 验证配置
$ podman info | grep -A 5 registries
输出示例如下:
registries:
docker.io:
Blocked: false
Insecure: false
Location: docker.io
MirrorByDigest: false
步骤4:配置Rootless模式
$ echo “user.max_user_namespaces=15000” | sudo tee -a /etc/sysctl.conf
# 应用配置
$ sudo sysctl -p
# 配置subuid和subgid
$ sudo vi /etc/subuid
fgedu:100000:65536
$ sudo vi /etc/subgid
fgedu:100000:65536
# 创建用户配置目录
$ mkdir -p ~/.config/containers
# 创建用户存储配置
$ vi ~/.config/containers/storage.conf
[storage]
driver = “overlay”
runroot = “/run/user/$(id -u)/containers”
graphroot = “$HOME/.local/share/containers/storage”
[storage.options.overlay]
mount_program = “/usr/bin/fuse-overlayfs”
# 验证rootless模式
$ podman info | grep rootless
输出示例如下:
rootless: true
4. Podman配置详解
Podman配置包括存储配置、网络配置、安全配置等。风哥提示:正确配置是Podman稳定运行的基础。
containers.conf核心配置
$ sudo vi /etc/containers/containers.conf
[containers]
# 默认能力
default_capabilities = [
“CHOWN”,
“DAC_OVERRIDE”,
“FOWNER”,
“FSETID”,
“KILL”,
“NET_BIND_SERVICE”,
“SETFCAP”,
“SETGID”,
“SETPCAP”,
“SETUID”,
]
# 默认sysctls
default_sysctls = [
“net.ipv4.ping_group_range=0 0”,
]
# 日志驱动
log_driver = “journald”
# 日志大小限制
log_size_max = -1
# 默认超时
stop_timeout = 10
[engine]
# 运行时
runtime = “runc”
# 并发下载数
image_parallel_copies = 0
# 网络后端
network_backend = “cni”
# 默认命名空间
namespace = “”
# 镜像默认传输
image_default_transport = “docker://”
# 事件日志
events_logger = “journald”
网络配置
$ podman network ls
输出示例如下:
NETWORK ID NAME DRIVER
88483c76d7e3 podman bridge
# 创建自定义网络
$ podman network create –driver bridge –subnet 172.20.0.0/16 –gateway 172.20.0.1 fgedu_net
输出示例如下:
fgedu_net
# 查看网络详情
$ podman network inspect fgedu_net
输出示例如下:
[
{
“cniVersion”: “1.0.0”,
“name”: “fgedu_net”,
“plugins”: [
{
“type”: “bridge”,
“bridge”: “cni-podman1”,
“ipam”: {
“type”: “host-local”,
“ranges”: [
[
{
“gateway”: “172.20.0.1”,
“subnet”: “172.20.0.0/16”
}
]
],
“routes”: [
{
“dst”: “0.0.0.0/0”
}
]
}
}
]
}
]
5. 容器管理实战
Podman提供了与Docker兼容的容器管理命令。更多学习教程公众号风哥教程itpux_com
步骤1:镜像管理
$ podman search nginx
输出示例如下:
INDEX NAME DESCRIPTION
docker.io docker.io/library/nginx Official build of Nginx.
docker.io docker.io/bitnami/nginx Bitnami nginx Docker Image
docker.io docker.io/ubuntu/nginx Nginx, a high performance reverse proxy…
# 拉取镜像
$ podman pull docker.io/library/nginx:latest
输出示例如下:
Trying to pull docker.io/library/nginx:latest…
Getting image source signatures
Copying blob sha256:abc123def456…
Copying config sha256:def456ghi789…
Writing manifest to image destination
Storing signatures
def456ghi789jkl012mno345pqr678stu901vwx234yza567bcd890
# 查看本地镜像
$ podman images
输出示例如下:
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest def456ghi789 2 days ago 146 MB
# 给镜像打标签
$ podman tag docker.io/library/nginx:latest fgedu-nginx:v1
# 删除镜像
$ podman rmi docker.io/library/nginx:latest
# 导出镜像
$ podman save -o nginx.tar docker.io/library/nginx:latest
# 导入镜像
$ podman load -i nginx.tar
步骤2:运行容器
$ podman run -d –name nginx-test -p 8080:80 docker.io/library/nginx:latest
输出示例如下:
abc123def456789012345678901234567890123456789012345678901234
# 查看运行中的容器
$ podman ps
输出示例如下:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
abc123def456 docker.io/library/nginx:latest /docker-entrypoin… 5 seconds ago Up 4 seconds ago 0.0.0.0:8080->80/tcp nginx-test
# 查看所有容器(包括停止的)
$ podman ps -a
# 查看容器日志
$ podman logs nginx-test
输出示例如下:
2026/04/04 10:00:00 [notice] 1#1: using the “epoll” event method
2026/04/04 10:00:00 [notice] 1#1: nginx/1.25.4
2026/04/04 10:00:00 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14)
2026/04/04 10:00:00 [notice] 1#1: OS: Linux 5.14.0-362.el9.x86_64
2026/04/04 10:00:00 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1073741816:1073741816
# 进入容器
$ podman exec -it nginx-test /bin/bash
# 停止容器
$ podman stop nginx-test
# 启动容器
$ podman start nginx-test
# 删除容器
$ podman rm nginx-test
步骤3:容器资源限制
$ podman run -d \
–name web-app \
–memory=512m \
–memory-swap=1g \
–cpus=1.5 \
–cpu-shares=512 \
–pids-limit=100 \
-p 8080:80 \
docker.io/library/nginx:latest
输出示例如下:
def456ghi789012345678901234567890123456789012345678901234567
# 查看容器资源使用
$ podman stats web-app
输出示例如下:
ID NAME CPU % MEM USAGE / LIMIT MEM % NET IO BLOCK IO PIDS
def456ghi789 web-app 0.01% 5.5MB / 512MB 1.07% 1.2kB / 0B 0B / 0B 2
# 查看容器详情
$ podman inspect web-app
输出示例如下:
[
{
“Id”: “def456ghi789…”,
“Created”: “2026-04-04T10:00:00.000000000Z”,
“Path”: “/docker-entrypoint.sh”,
“Args”: [
“nginx”,
“-g”,
“daemon off;”
],
“State”: {
“Status”: “running”,
“Running”: true,
“Paused”: false,
“Pid”: 12345
},
“HostConfig”: {
“Memory”: 536870912,
“MemorySwap”: 1073741824,
“CpuShares”: 512,
“CpuQuota”: 150000,
“PidsLimit”: 100
}
}
]
6. Pod管理实战
Podman支持Pod概念,可以将多个容器组织在一起管理,类似Kubernetes的Pod。from:www.itpux.com
步骤1:创建Pod
$ podman pod create –name fgedu-pod -p 8080:80
输出示例如下:
abc123def456789012345678901234567890123456789012345678901234
# 查看Pod列表
$ podman pod ls
输出示例如下:
POD ID NAME STATUS CREATED INFRA ID # OF CONTAINERS
abc123def456 fgedu-pod Created 10 seconds ago def456ghi789 1
# 查看Pod详情
$ podman pod inspect fgedu-pod
输出示例如下:
{
“Id”: “abc123def456789012345678901234567890123456789012345678901234”,
“Name”: “fgedu-pod”,
“Created”: “2026-04-04T10:00:00.000000000Z”,
“State”: “Created”,
“Hostname”: “”,
“CreateCommand”: [
“podman”,
“pod”,
“create”,
“–name”,
“fgedu-pod”,
“-p”,
“8080:80”
],
“Containers”: [
{
“Id”: “def456ghi789…”,
“Name”: “abc123def456789-infra”,
“State”: “configured”
}
]
}
步骤2:在Pod中运行容器
$ podman run -d –pod fgedu-pod –name nginx \
docker.io/library/nginx:latest
输出示例如下:
ghi789jkl012345678901234567890123456789012345678901234567890
# 在Pod中添加应用容器
$ podman run -d –pod fgedu-pod –name web-app \
-e APP_ENV=production \
docker.io/library/python:3.11-slim \
python -m http.server 8081
输出示例如下:
jkl012mno345678901234567890123456789012345678901234567890123
# 查看Pod中的容器
$ podman ps –pod
输出示例如下:
CONTAINER ID IMAGE COMMAND POD ID NAMES
def456ghi789 k8s.gcr.io/pause:3.9 abc123def456 abc123def456789-infra
ghi789jkl012 docker.io/library/nginx:latest /docker-entrypoin… abc123def456 nginx
jkl012mno345 docker.io/library/python:3.11-slim python -m http.se… abc123def456 web-app
# 启动Pod
$ podman pod start fgedu-pod
# 停止Pod
$ podman pod stop fgedu-pod
# 删除Pod
$ podman pod rm fgedu-pod
步骤3:生成Kubernetes YAML
$ podman generate kube fgedu-pod > fgedu-pod.yaml
# 查看生成的YAML
$ cat fgedu-pod.yaml
输出示例如下:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: “2026-04-04T10:00:00Z”
labels:
app: fgedu-pod
name: fgedu-pod
spec:
containers:
– image: docker.io/library/nginx:latest
name: nginx
ports:
– containerPort: 80
hostPort: 8080
protocol: TCP
resources: {}
– args:
– python
– -m
– http.server
– “8081”
env:
– name: APP_ENV
value: production
image: docker.io/library/python:3.11-slim
name: web-app
resources: {}
hostname: fgedu-pod
status: {}
# 从YAML创建Pod
$ podman play kube fgedu-pod.yaml
7. 网络与存储管理
Podman提供了灵活的网络和存储管理功能。
步骤1:存储卷管理
$ podman volume create fgedu-data
输出示例如下:
fgedu-data
# 查看存储卷列表
$ podman volume ls
输出示例如下:
DRIVER VOLUME NAME
local fgedu-data
# 查看存储卷详情
$ podman volume inspect fgedu-data
输出示例如下:
[
{
“Name”: “fgedu-data”,
“Driver”: “local”,
“Mountpoint”: “/var/lib/containers/storage/volumes/fgedu-data/_data”,
“CreatedAt”: “2026-04-04T10:00:00.000000000Z”,
“Labels”: {},
“Scope”: “local”,
“Options”: {}
}
]
# 使用存储卷运行容器
$ podman run -d \
–name mysql-server \
-v fgedu-data:/var/lib/mysql \
-e MYSQL_ROOT_PASSWORD=root123 \
docker.io/library/mysql:8.0
输出示例如下:
mno345pqr678901234567890123456789012345678901234567890123456
# 挂载主机目录
$ podman run -d \
–name web-server \
-v /fgeudb/web:/usr/share/nginx/html:ro \
-p 8080:80 \
docker.io/library/nginx:latest
# 删除存储卷
$ podman volume rm fgedu-data
步骤2:systemd集成
$ podman generate systemd –name nginx-test –files –new
输出示例如下:
/home/fgedu/container-nginx-test.service
# 查看生成的服务文件
$ cat /home/fgedu/container-nginx-test.service
输出示例如下:
[Unit]
Description=Podman container-nginx-test.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman run \
–cidfile=%t/%n.ctr-id \
–cgroups=no-conmon \
–rm \
–sdnotify=conmon \
-d \
–name nginx-test \
-p 8080:80 \
docker.io/library/nginx:latest
ExecStop=/usr/bin/podman stop \
–ignore \
–cidfile=%t/%n.ctr-id \
-t 10
ExecStopPost=/usr/bin/podman rm \
–ignore \
-f \
–cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
[Install]
WantedBy=default.target
# 复制服务文件
$ sudo cp /home/fgedu/container-nginx-test.service /etc/systemd/system/
# 启用并启动服务
$ sudo systemctl daemon-reload
$ sudo systemctl enable container-nginx-test.service
$ sudo systemctl start container-nginx-test.service
# 查看服务状态
$ sudo systemctl status container-nginx-test.service
输出示例如下:
● container-nginx-test.service – Podman container-nginx-test.service
Loaded: loaded (/etc/systemd/system/container-nginx-test.service; enabled)
Active: active (running) since Thu 2026-04-04 10:00:00 CST; 5s ago
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
