Back to Details

podman

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Podman

Podman

Run and manage containers without a daemon using Podman's rootless container engine.
使用Podman的无根容器引擎,无需守护进程即可运行和管理容器。

When to Use This Skill

何时使用本技能

Use this skill when:
  • Running containers without root privileges
  • Managing containers on systems without Docker
  • Creating pod-based container groups
  • Using systemd for container management
  • Working in security-conscious environments
在以下场景中使用本技能:
  • 无需root权限运行容器
  • 在没有Docker的系统上管理容器
  • 创建基于Pod的容器组
  • 使用systemd管理容器
  • 在注重安全性的环境中工作

Prerequisites

前提条件

  • Podman installed (4.x+)
  • For rootless: user namespaces enabled
  • Basic container concepts understanding
  • 已安装Podman(4.x及以上版本)
  • 无根模式:已启用用户命名空间
  • 了解基本容器概念

Key Differences from Docker

与Docker的主要区别

FeatureDockerPodman
ArchitectureClient-daemonDaemonless
Root requiredDefaultOptional (rootless)
Pod supportNoYes (Kubernetes-style)
Systemd integrationLimitedNative
Socketdocker.sockpodman.sock (optional)
特性DockerPodman
架构客户端-守护进程无守护进程
是否需要Root默认需要可选(无根模式)
Pod支持支持(Kubernetes风格)
Systemd集成有限原生支持
套接字docker.sockpodman.sock(可选)

Basic Commands

基础命令

Container Operations

容器操作

bash
undefined
bash
undefined

Run container (identical to Docker)

运行容器(与Docker命令一致)

podman run -d --name webserver -p 8080:80 nginx
podman run -d --name webserver -p 8080:80 nginx

List containers

列出容器

podman ps -a
podman ps -a

Stop and remove

停止并删除容器

podman stop webserver podman rm webserver
podman stop webserver podman rm webserver

Execute command

在容器中执行命令

podman exec -it webserver /bin/sh
podman exec -it webserver /bin/sh

View logs

查看日志

podman logs -f webserver
undefined
podman logs -f webserver
undefined

Image Management

镜像管理

bash
undefined
bash
undefined

Pull image

拉取镜像

podman pull docker.io/library/nginx:latest
podman pull docker.io/library/nginx:latest

List images

列出镜像

podman images
podman images

Build image

构建镜像

podman build -t myapp:latest .
podman build -t myapp:latest .

Push to registry

推送镜像到仓库

podman push myapp:latest registry.example.com/myapp:latest
podman push myapp:latest registry.example.com/myapp:latest

Remove image

删除镜像

podman rmi nginx:latest
undefined
podman rmi nginx:latest
undefined

Rootless Containers

无根容器

Setup

配置步骤

bash
undefined
bash
undefined

Check user namespace support

检查用户命名空间支持

cat /proc/sys/user/max_user_namespaces
cat /proc/sys/user/max_user_namespaces

Enable if needed (as root)

若需要则启用(以root身份执行)

echo "user.max_user_namespaces=28633" | sudo tee /etc/sysctl.d/userns.conf sudo sysctl -p /etc/sysctl.d/userns.conf
echo "user.max_user_namespaces=28633" | sudo tee /etc/sysctl.d/userns.conf sudo sysctl -p /etc/sysctl.d/userns.conf

Configure subuid/subgid for user

为用户配置subuid/subgid

sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER

Verify

验证配置

podman unshare cat /proc/self/uid_map
undefined
podman unshare cat /proc/self/uid_map
undefined

Running Rootless

运行无根容器

bash
undefined
bash
undefined

Run as regular user (no sudo)

以普通用户身份运行(无需sudo)

podman run -d --name myapp -p 8080:80 nginx
podman run -d --name myapp -p 8080:80 nginx

Check user namespace mapping

检查用户命名空间映射

podman unshare id
podman unshare id

Verify non-root

验证非root身份

podman top myapp user
undefined
podman top myapp user
undefined

Port Considerations

端口注意事项

bash
undefined
bash
undefined

Rootless cannot bind to ports < 1024 by default

默认情况下,无根模式无法绑定1024以下的端口

Use ports >= 1024

使用1024及以上的端口

podman run -d -p 8080:80 nginx
podman run -d -p 8080:80 nginx

Or enable unprivileged ports (as root)

或者启用非特权端口(以root身份执行)

echo "net.ipv4.ip_unprivileged_port_start=80" | sudo tee /etc/sysctl.d/ports.conf sudo sysctl -p /etc/sysctl.d/ports.conf
undefined
echo "net.ipv4.ip_unprivileged_port_start=80" | sudo tee /etc/sysctl.d/ports.conf sudo sysctl -p /etc/sysctl.d/ports.conf
undefined

Pods

Pod管理

Creating Pods

创建Pod

bash
undefined
bash
undefined

Create pod

创建Pod

podman pod create --name mypod -p 8080:80 -p 5432:5432
podman pod create --name mypod -p 8080:80 -p 5432:5432

Add containers to pod

向Pod中添加容器

podman run -d --pod mypod --name web nginx podman run -d --pod mypod --name db postgres:15
podman run -d --pod mypod --name web nginx podman run -d --pod mypod --name db postgres:15

List pods

列出Pod

podman pod ps
podman pod ps

Containers share network namespace

容器共享网络命名空间

podman exec web curl localhost:5432
undefined
podman exec web curl localhost:5432
undefined

Pod Management

Pod运维

bash
undefined
bash
undefined

Start/stop pod (affects all containers)

启动/停止Pod(影响所有容器)

podman pod start mypod podman pod stop mypod
podman pod start mypod podman pod stop mypod

Remove pod and containers

删除Pod及其中的容器

podman pod rm -f mypod
podman pod rm -f mypod

View pod details

查看Pod详情

podman pod inspect mypod
podman pod inspect mypod

Generate Kubernetes YAML from pod

从Pod生成Kubernetes YAML文件

podman generate kube mypod > mypod.yaml
undefined
podman generate kube mypod > mypod.yaml
undefined

Systemd Integration

Systemd集成

Generate Systemd Unit

生成Systemd单元文件

bash
undefined
bash
undefined

Generate unit file for container

为容器生成单元文件

podman generate systemd --new --name myapp > ~/.config/systemd/user/container-myapp.service
podman generate systemd --new --name myapp > ~/.config/systemd/user/container-myapp.service

For pod

为Pod生成单元文件

podman generate systemd --new --name mypod --files
podman generate systemd --new --name mypod --files

Reload systemd

重新加载systemd

systemctl --user daemon-reload
systemctl --user daemon-reload

Enable and start

启用并启动服务

systemctl --user enable --now container-myapp.service
undefined
systemctl --user enable --now container-myapp.service
undefined

Quadlet (Podman 4.4+)

Quadlet(Podman 4.4+)

ini
undefined
ini
undefined

~/.config/containers/systemd/webapp.container

~/.config/containers/systemd/webapp.container

[Container] Image=docker.io/library/nginx:latest PublishPort=8080:80 Volume=webapp-data:/usr/share/nginx/html
[Service] Restart=always
[Install] WantedBy=default.target

```bash
[Container] Image=docker.io/library/nginx:latest PublishPort=8080:80 Volume=webapp-data:/usr/share/nginx/html
[Service] Restart=always
[Install] WantedBy=default.target

```bash

Reload to generate service

重新加载以生成服务

systemctl --user daemon-reload
systemctl --user daemon-reload

Start the service

启动服务

systemctl --user start webapp
undefined
systemctl --user start webapp
undefined

Compose Compatibility

Compose兼容性

Using Podman Compose

使用Podman Compose

bash
undefined
bash
undefined

Install podman-compose

安装podman-compose

pip install podman-compose
pip install podman-compose

Run compose file

运行Compose文件

podman-compose up -d
podman-compose up -d

Or use Docker Compose with Podman socket

或通过Podman套接字使用Docker Compose

systemctl --user enable --now podman.socket export DOCKER_HOST=unix:///run/user/$UID/podman/podman.sock docker-compose up -d
undefined
systemctl --user enable --now podman.socket export DOCKER_HOST=unix:///run/user/$UID/podman/podman.sock docker-compose up -d
undefined

Native Podman Kube

原生Podman Kube支持

bash
undefined
bash
undefined

Play Kubernetes YAML

运行Kubernetes YAML文件

podman kube play deployment.yaml
podman kube play deployment.yaml

Stop and remove

停止并删除资源

podman kube down deployment.yaml
undefined
podman kube down deployment.yaml
undefined

Networking

网络配置

Network Management

网络管理

bash
undefined
bash
undefined

Create network

创建网络

podman network create mynetwork
podman network create mynetwork

Run on network

在指定网络上运行容器

podman run -d --network mynetwork --name app myapp
podman run -d --network mynetwork --name app myapp

Connect container to network

将现有容器连接到网络

podman network connect mynetwork existing-container
podman network connect mynetwork existing-container

List networks

列出网络

podman network ls
podman network ls

Inspect network

查看网络详情

podman network inspect mynetwork
undefined
podman network inspect mynetwork
undefined

DNS Resolution

DNS解析

bash
undefined
bash
undefined

Containers on same network can resolve by name

同一网络中的容器可通过名称解析

podman run -d --network mynetwork --name db postgres:15 podman run -d --network mynetwork --name app
-e DATABASE_HOST=db myapp
undefined
podman run -d --network mynetwork --name db postgres:15 podman run -d --network mynetwork --name app
-e DATABASE_HOST=db myapp
undefined

Storage

存储管理

Volume Management

卷管理

bash
undefined
bash
undefined

Create volume

创建卷

podman volume create mydata
podman volume create mydata

Use volume

使用卷

podman run -d -v mydata:/data myapp
podman run -d -v mydata:/data myapp

List volumes

列出卷

podman volume ls
podman volume ls

Inspect volume

查看卷详情

podman volume inspect mydata
podman volume inspect mydata

Rootless volumes location

无根模式下卷的存储位置

ls ~/.local/share/containers/storage/volumes/
undefined
ls ~/.local/share/containers/storage/volumes/
undefined

Bind Mounts

绑定挂载

bash
undefined
bash
undefined

Bind mount with SELinux label

使用SELinux标签进行绑定挂载

podman run -v ./data:/app/data:Z myapp
podman run -v ./data:/app/data:Z myapp

Z = private label (single container)

Z = 私有标签(单个容器使用)

z = shared label (multiple containers)

z = 共享标签(多个容器使用)

undefined
undefined

Registry Configuration

镜像仓库配置

Configure Registries

配置仓库

bash
undefined
bash
undefined

Edit registries.conf

编辑registries.conf文件

~/.config/containers/registries.conf

~/.config/containers/registries.conf


```toml
unqualified-search-registries = ["docker.io", "quay.io"]

[[registry]]
prefix = "docker.io"
location = "docker.io"

[[registry.mirror]]
location = "mirror.gcr.io"

```toml
unqualified-search-registries = ["docker.io", "quay.io"]

[[registry]]
prefix = "docker.io"
location = "docker.io"

[[registry.mirror]]
location = "mirror.gcr.io"

Authentication

身份验证

bash
undefined
bash
undefined

Login to registry

登录到镜像仓库

podman login docker.io
podman login docker.io

Login to private registry

登录到私有镜像仓库

podman login registry.example.com
podman login registry.example.com

Credentials stored in

凭据存储在以下位置

~/.config/containers/auth.json

~/.config/containers/auth.json

undefined
undefined

Building Images

镜像构建

Buildah Integration

Buildah集成

bash
undefined
bash
undefined

Podman uses Buildah for builds

Podman使用Buildah进行镜像构建

podman build -t myapp:latest .
podman build -t myapp:latest .

Build with specific format

以指定格式构建镜像

podman build --format docker -t myapp .
podman build --format docker -t myapp .

Multi-stage build

多阶段构建

podman build --target production -t myapp:prod .
undefined
podman build --target production -t myapp:prod .
undefined

Buildah Commands

Buildah命令

bash
undefined
bash
undefined

Create container from scratch

从基础镜像创建容器

buildah from scratch buildah copy working-container ./app /app buildah config --entrypoint '["/app/main"]' working-container buildah commit working-container myapp:minimal
undefined
buildah from scratch buildah copy working-container ./app /app buildah config --entrypoint '["/app/main"]' working-container buildah commit working-container myapp:minimal
undefined

Common Issues

常见问题

Issue: Permission Denied

问题:权限被拒绝

Problem: Cannot access files in mounted volumes Solution: Use 
:Z
or 
:z
suffix for SELinux, or check ownership
问题:无法访问挂载卷中的文件 解决方案:为绑定挂载添加
:Z
:z
后缀以适配SELinux,或检查文件所有权

Issue: Cannot Connect to Container

问题:无法连接到容器

Problem: Port not accessible in rootless mode Solution: Use ports >= 1024 or configure unprivileged port start
问题:无根模式下端口无法访问 解决方案:使用1024及以上的端口,或配置非特权端口起始值

Issue: Slow Image Pulls

问题:镜像拉取缓慢

Problem: Images download slowly Solution: Configure registry mirrors in registries.conf
问题:镜像下载速度慢 解决方案:在registries.conf中配置仓库镜像

Issue: Systemd Service Fails

问题:Systemd服务启动失败

Problem: Container doesn't start via systemd Solution: Enable lingering: 
loginctl enable-linger $USER
问题:通过systemd无法启动容器 解决方案:启用用户驻留模式:
loginctl enable-linger $USER

Best Practices

最佳实践

  • Use rootless mode for enhanced security
  • Leverage pods for related containers
  • Generate systemd units for production
  • Use Quadlet for declarative container services
  • Configure SELinux labels for bind mounts
  • Enable user lingering for persistent services
  • Use podman auto-update for automatic updates
  • Alias 
    docker
    to 
    podman
    for compatibility
  • 使用无根模式提升安全性
  • 利用Pod管理关联容器
  • 为生产环境生成systemd单元文件
  • 使用Quadlet实现声明式容器服务
  • 为绑定挂载配置SELinux标签
  • 启用用户驻留模式以实现持久化服务
  • 使用podman auto-update进行自动更新
  • docker
    别名设置为
    podman
    以兼容现有命令

Related Skills

相关技能

  • docker-management - Docker fundamentals
  • kubernetes-ops - K8s orchestration
  • container-hardening - Security
  • docker-management - Docker基础
  • kubernetes-ops - K8s编排
  • container-hardening - 容器安全加固