年轻人谁还用Docker?

好吧，我其实想说的是podman :)

podman（Pod Manager）是一个由RedHat公司推出的容器管理工具，它的定位就是docker的替代品，在使用上与docker的体验类似。podman源于CRI-O项目，可以直接访问OCI的实现（如runC），流程比docker要短。

和Docker相比，podman无需root启动的守护进程，所以在安全性方面更胜一筹。

话不多说，我们直接来体验一把：

首先安装，以CentOS为例：

[root@test-vm001 ~]# yum -y install podman

检查一下版本：

[root@test-vm001 ~]# podman -v
podman version 2.0.5

查看一下支持的命令，和docker基本一致：

[root@test-vm001 ~]# podman --help
Manage pods, containers and images

Usage:
  podman [flags]
  podman [command]

Available Commands:
  attach      Attach to a running container
  auto-update Auto update containers according to their auto-update policy
  build       Build an image using instructions from Containerfiles
  commit      Create new image based on the changed container
  container   Manage containers
  cp          Copy files/folders between a container and the local filesystem
  create      Create but do not start a container
  diff        Display the changes to the object's file system
  events      Show podman events
  exec        Run a process in a running container
  export      Export container's filesystem contents as a tar archive
  generate    Generate structured data based on containers and pods.
  healthcheck Manage health checks on containers
  help        Help about any command
  history     Show history of a specified image
  image       Manage images
  images      List images in local storage
  import      Import a tarball to create a filesystem image
  info        Display podman system information
  init        Initialize one or more containers
  inspect     Display the configuration of object denoted by ID
  kill        Kill one or more running containers with a specific signal
  load        Load an image from container archive
  login       Login to a container registry
  logout      Logout of a container registry
  logs        Fetch the logs of one or more containers
  manifest    Manipulate manifest lists and image indexes
  mount       Mount a working container's root filesystem
  network     Manage networks
  pause       Pause all the processes in one or more containers
  play        Play a pod and its containers from a structured file.
  pod         Manage pods
  port        List port mappings or a specific mapping for the container
  ps          List containers
  pull        Pull an image from a registry
  push        Push an image to a specified destination
  restart     Restart one or more containers
  rm          Remove one or more containers
  rmi         Removes one or more images from local storage
  run         Run a command in a new container
  save        Save image to an archive
  search      Search registry for image
  start       Start one or more containers
  stats       Display a live stream of container resource usage statistics
  stop        Stop one or more containers
  system      Manage podman
  tag         Add an additional name to a local image
  top         Display the running processes of a container
  unmount     Unmounts working container's root filesystem
  unpause     Unpause the processes in one or more containers
  unshare     Run a command in a modified user namespace
  untag       Remove a name from a local image
  version     Display the Podman Version Information
  volume      Manage volumes
  wait        Block on one or more containers

Flags:
      --cgroup-manager string     Cgroup manager to use ("cgroupfs"|"systemd") (default "systemd")
      --cni-config-dir string     Path of the configuration directory for CNI networks (default "/usr/libexec/cni")
      --conmon string             Path of the conmon binary
  -c, --connection string         Connection to use for remote Podman service
      --events-backend string     Events backend to use ("file"|"journald"|"none") (default "file")
      --help                      Help for podman
      --hooks-dir strings         Set the OCI hooks directory path (may be set multiple times) (default [/usr/share/containers/oci/hooks.d])
      --identity string           path to SSH identity file, (CONTAINER_SSHKEY)
      --log-level string          Log messages above specified level (debug, info, warn, error, fatal, panic) (default "error")
      --namespace string          Set the libpod namespace, used to create separate views of the containers and pods on the system
      --network-cmd-path string   Path to the command for configuring the network
  -r, --remote                    Access remote Podman service (default false)
      --root string               Path to the root directory in which data, including images, is stored
      --runroot string            Path to the 'run directory' where all state information is stored
      --runtime string            Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc
      --storage-driver string     Select which storage driver is used to manage storage of images and containers (default is overlay)
      --storage-opt stringArray   Used to pass an option to the storage driver
      --syslog                    Output logging information to syslog as well as the console (default false)
      --tmpdir string             Path to the tmp directory for libpod state content.

                                  Note: use the environment variable 'TMPDIR' to change the temporary storage location for container images, '/var/tmp'.

      --url string                URL to access Podman service (CONTAINER_HOST) (default "unix:/run/podman/podman.sock")
  -v, --version                   Version of Podman

Use "podman [command] --help" for more information about a command.

搜索一下镜像，podman会去redhat和docker hub搜索镜像（省略了绝大多数输出）：

[root@test-vm001 ~]# podman search httpd
redhat.com   registry.access.redhat.com/rhscl/httpd-24-rhel7                               Apache HTTP 2.4 Server                            0
redhat.com   registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd             CloudForms is a management and automation pl...   0
redhat.io    registry.redhat.io/rhscl/httpd-24-rhel7                                       Apache HTTP 2.4 Server                            0
docker.io    docker.io/library/httpd                                                       The Apache HTTP Server Project                    3318    [OK]

启动一个容器：

[root@test-vm001 ~]# podman run -dt -p 8080:8080/tcp registry.fedoraproject.org/f29/httpd
Trying to pull registry.fedoraproject.org/f29/httpd...
Getting image source signatures
Copying blob d77ff9f653ce done
Copying blob aaf5ad2e1aa3 done
Copying blob 7692efc5f81c done
Copying config 25c76f9dcd done
Writing manifest to image destination
Storing signatures
efe658b567ec3758524abe65248a7045374e4a15b9493d8885889cfffce8d407

查看一下运行的容器：

[root@test-vm001 ~]# podman ps
CONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS             PORTS                   NAMES
efe658b567ec  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  24 seconds ago  Up 23 seconds ago  0.0.0.0:8080->8080/tcp  reverent_austin

尝试访问一下容器提供的服务：

[root@test-vm001 ~]# curl http://localhost:8080

从输出结果可以看到容器已经运行起来了。

查看一下进程，发现httpd容器是podman的子进程：

[root@test-vm001 ~]# ps -ef | grep 8919
root        8919       1  0 07:34 ?        00:00:00 /usr/bin/conmon --api-vers...
1001        8930    8919  0 07:34 pts/0    00:00:00 httpd -D FOREGROUND
root        9290    5136  0 07:46 pts/0    00:00:00 grep --color=auto 8919

podman用来管理容器及pod，需要构建镜像的话，需要使用到buildah。此外还有操作远程仓库及镜像签名的工具skopeo，我们下次再说。