最後更新: 2022-10-19


  • Podman is using Open Container Initiative (OCI) containers
  • Podman is a daemon-less tool (a single binary command-line)

OCI Runtime


The Open Container Initiative develops specifications for standards on Operating System process and application containers.


  • Volume
  • Network & Firewall
  • Auto start container
  • volatile mount
  • conmon program
  • podman-gvproxy
  • Rocky 8 App
  • Cleanup contrainer script
  • runc




dnf install podman

podman -v

podman version 4.1.1

podman version

Client:       Podman Engine
Version:      4.1.1
API Version:  4.1.1
Go Version:   go1.17.12
Built:        Tue Aug  2 15:53:14 2022
OS/Arch:      linux/amd64

systemctl start podman

systemctl enable podman

systemctl status podman

● podman.service - Podman API Service
   Loaded: loaded (/usr/lib/systemd/system/podman.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Wed 2022-10-19 20:58:58 HKT; 6s ago
     Docs: man:podman-system-service(1)
  Process: 6365 ExecStart=/usr/bin/podman $LOGGING system service (code=exited, status=0/SUCCESS)
 Main PID: 6365 (code=exited, status=0/SUCCESS)

Oct 19 20:58:53 VM systemd[1]: Starting Podman API Service...
Oct 19 20:58:53 VM systemd[1]: Started Podman API Service.
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="/usr/bin/podman filtering at log level info"
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Not using native diff for overlay, this may >
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Setting parallel job count to 4"
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Using systemd socket activation to determine>
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="API service listening on \"/run/podman/podma>
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="API service listening on \"/run/podman/podma>
Oct 19 20:58:58 VM systemd[1]: podman.service: Succeeded.

# View Podman system information

podman info

  arch: amd64
  buildahVersion: 1.26.2
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v1




'/etc/containers' directory


Policy configuration for image signing.


List of available container image registries such as Docker Registry, RHEL Container image registry, and Fedora Container images registry.


Configuration of default storage for Podman. Includes drivers, location, etc.


Additional registries configuration and image signing


Additional configuration for container images aliases.




Help: man 5 containers-storage.conf


# Default Storage Driver, Must be set for proper operation.
driver = "overlay"

# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"

tree /var/lib/containers/storage

├── libpod
│   └── bolt_state.db
├── mounts
├── overlay
│   ├── backingFsBlockDev
│   └── l
├── overlay-containers
│   └── containers.lock
├── overlay-images
│   └── images.lock
├── overlay-layers
│   └── layers.lock
├── storage.lock
├── tmp
└── userns.lock

將 /var/lib/containers/storage 改成 mount point

systemctl stop podman.socket

mv /var/lib/containers/storage/* /mnt/tmp

touch /var/lib/containers/storage/mountpoint.txt


# Data
UUID="????"     /var/lib/containers/storage xfs noatime 0

mount -a


建立 network



podman network create \
 --subnet \
 --ip-range \
 --gateway MyNet

podman network ls

8b5962b697d7  MyNet       bridge
2f259bab93aa  podman      bridge

podman network inspect MyNet

          "name": "MyNet",
          "id": "UUID",
          "driver": "bridge",
          "network_interface": "cni-podman1",
          "created": "2022-10-19T17:48:33.07652204+08:00",
          "subnets": [
                    "subnet": "",
                    "gateway": ""
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": false,
          "ipam_options": {
               "driver": "host-local"

After POD are created via the

# Add container to a network

# --ip ip

podman network connect [options] NETWORK CONTAINER

# Remove container from a network

# -f, --force   force removal of container from network

podman network disconnect [options] NETWORK CONTAINER

Network type: Macvlan

With macvlan, the container is given access to a physical network interface on the host.

This interface can configure multiple subinterfaces.

And each subinterface is capable of having its own MAC and IP address.

In the case of Podman containers, the container will present itself as if it is on the same network as the host.

podman network create -d macvlan -o parent=eth0 POD


Basic Usage


podman search rocky

podman pull rocky

Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull quay.io/podman/hello:latest...

Search container image

podman images [options] [IMAGE]

podman images

REPOSITORY            TAG         IMAGE ID      CREATED      SIZE
quay.io/podman/hello  latest      45c8981b04d0  7 hours ago  82.1 kB

podman images db

localhost/db  v2          60e6b9a17ba7  5 days ago  801 MB
localhost/db  v3          9a646ec64180  7 days ago  774 MB


# --detach, -d           
# --interactive, -i      keep stdin open even if not attached.
# --tty, -t              Allocate a pseudo-TTY

podman run -dit --name mytest hello-world

podman ps [-a]


podman inspect container-name

Useful info

podman inspect test | jq '.[] | keys'

podman inspect test | jq .[0].HostConfig | jq '.Memory, .MemorySwap'

podman inspect test | jq .[0].Mounts

podman inspect test | jq .[0].NetworkSettings.Networks

podman inspect test | jq .[0].Config.Labels

podman inspect test | jq .[0].Config.CreateCommand

podman inspect test | jq .[0].GraphDriver


# detach from the container: ctrl-p,ctrl-q

podman attach container-name


podman stop container-name


podman rm container-name

container status

podman stats [container]


  • ID
  • NAME
  • CPU %
  • MEM USAGE / LIMIT  MEM %      
  • NET IO
  • PIDS
  • AVG CPU %


mount & umount



podman mount [options] [container …]

# list all of the currently mounted containers

podman mount

# mount

podman mount containerID1

# 會看到 mount 了在那



podman umount containerID

podman umount --all


podman cp


除了用 mount 外, 可以用 cp 直接抄 data

podman cp [options] [container:]src_path [container:]dest_path

options: --overwrite

Allow directories to be overwritten with non-directories and vice versa.

By default, podman cp errors out when attempting to overwrite


# Copy a file from host to a container

podman cp /myapp/app.conf containerID:/myapp/app.conf

# Copy a file from a container to a directory on another container

podman cp containerID1:/myfile.txt containerID2:/tmp






# --filter

podman search --filter=is-official rocky

NAME                          DESCRIPTION
docker.io/library/rockylinux  The official build of Rocky Linux.

# --list-tags

podman search --list-tags docker.io/library/rockylinux

# --limit=limit

Limit the number of results (default 25).


# name[:tag]

podman pull docker.io/library/rockylinux:8

image list

list local image

image tree

podman image tree myrock8

Image ID: b97594aed070
Tags:     [localhost/myrock8:v1 localhost/myrock8:latest]
Size:     431.9MB
Image Layers
├── ID: 44e6e3eb06d8 Size: 201.9MB Top Layer of: [docker.io/rockylinux/rockylinux:8.6]
├── ID: c78d5d722c03 Size: 23.04kB
├── ID: 1220167252e8 Size: 136.2MB
└── ID: 479813204267 Size: 93.69MB Top Layer of: [localhost/myrock8:v1 localhost/myrock8:latest]


podman image inspect myrock8 | jq '.[].RepoTags, .[].RootFS'

  "Type": "layers",
  "Layers": [


Show history of a specified image


Removes one or more images from local storage

tag & untag

tag: Add an additional name to a local image

podman images

localhost/www-v3                 latest      9688b374182e  19 hours ago  602 MB

# If a specified name does not include a tag, :latest will be appended

podman tag 9688b374182e www:v3

localhost/www-v3                 latest      9688b374182e  19 hours ago  602 MB
localhost/www                    v3          9688b374182e  19 hours ago  602 MB

為 image 設定 latest tag

podman tag b97594aed070 myrock8:v1

podman tag myrock8:v1 myrock8

untag: Remove one or more names from an image in the local storage.

# If no name is specified, all names are removed from the image.

podman untag 9688b374182e

<none>                           <none>      9688b374182e  19 hours ago  602 MB

untag 一個名

podman untag b97594aed070 mypod-v2


[1] If a specified name is a short name and does not include a registry,
      localhost/ will be prefixed (e.g., fedora -> localhost/fedora).

[2] If a specified name does not include a tag,
     :latest will be appended (e.g., localhost/fedora -> localhost/fedora:latest).





* docker default 係用 overlay fs, 它是用 volatile mount 的 !!

# mount cgroup readonly (必須是 readonly !!)

--volume /sys/fs/cgroup:/sys/fs/cgroup:ro


# mount Folder to container


-v $volroot/data:/var/lib/mysql


# mount file to container

-v $ssh_key:/root/.ssh/authorized_keys:ro


Network & Firewall


rootful and rootless container networking

unprivileged users cannot create networking interfaces on the host

unprivileged users must use ports 1024 through 65535 as lower ports require root privileges.

the default network mode is slirp4netns

Slirp4netns creates a TAP device in the container’s network namespace and

    connects to the usermode TCP/IP stack.

One of the drawbacks of slirp4netns is that the containers are completely isolated from each other.

Network (RUN 時的 Settings)



Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up port redirection on the host system.

to set up port redirection on the host system.


--publish, -p=[[ip:][hostPort]:]containerPort[/protocol]

Publish a container’s port, or range of ports, to the host.

If host IP is set to or not set at all, the port will be bound on all IPs on the host.

By default, Podman will publish TCP ports. To publish a UDP port instead, give udp as protocol.


netstat -ntlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0   *               LISTEN      17053/conmon
tcp        0      0    *               LISTEN      17053/conmon

conmon = /usr/bin/conmon

--expose vs --publish

1) If you specify neither EXPOSE nor -p, the service in the container will only be accessible from inside the container itself.

2) If you EXPOSE a port, the service in the container is not accessible from outside Docker,

    but from inside other Docker containers. So this is good for inter-container communication.

3) If you EXPOSE and -p a port, the service in the container is accessible from anywhere, even outside Docker. -p includes EXPOSE

--network=mode, --net=mode

mode: bridge[:OPTS,…]            # This is the default for rootful containers.

Create a network stack on the default bridge.

You can use the --network option multiple times to specify additional networks.


ip=IPv4                   # Specify a static ipv4 address for this container

interface_name    # Specify a name for the created network interface inside the container


--network bridge:ip=,mac=44:33:22:11:00:99

mode: <network name or ID>[:OPTIONS,…]

Connect to a user-defined network;

This is the network name or ID from a network created by "podman network create".

它與 "mode: bridge" 有同樣的 OPTS

mode: private

Create a new namespace for the container.

This will use the bridge mode for rootful containers and slirp4netns for rootless ones.


List port expose

# port [container|-a]              List port mappings for a container

podman port nginx

80/tcp ->
443/tcp ->


每當 "firewall-cmd --reload" 後. 必須行以下其中一句 CLI !!

podman network reload container-ID

podman network reload --all





Docker has a default entrypoint which is /bin/sh -c but does not have a default command.

The command is run via the entrypoint

the actual thing that gets executed is "/bin/sh -c bash"


Add a line to /etc/hosts. The format is


The --add-host option can be set multiple times.

主機 hosts 的內容本身會加到 container, 不用 "--add-host="


Set custom DNS servers.


Specify a static IPv4 address for the container
This option can only be used if the container is joined to only a single network
指定的 IP 要在 --ip-range 內


Set timezone in container.



--env, -e=env

Set environment variables.


--hostuser=name, -h=name

Add a user account to /etc/passwd from the host to the container. The Username or UID must exist on the host system.


Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the --user option.


Customize the entry that is written to the /etc/passwd file within the container when --passwd is used.

--user, -u=user[:group]

Sets the username or UID used and, optionally, the groupname or GID for the specified command.

Both user and group may be symbolic or numeric.

--label, -l=key=value

Add metadata to a container.


Attach a filesystem mount to the container

Current supported mount TYPEs are bind, volume, image, tmpfs and devpts.

--secret=secret[,opt=opt …]

A secret is a blob of sensitive data which a container needs at runtime but should not be stored in the image or in source control,

such as usernames and passwords, TLS certificates and keys, SSH keys or other important generic strings or binary content (up to 500 kb in size).

When secrets are specified as type mount, the secrets are copied and mounted into the container when a container is created.


Rockylinux with systemd


下載一個 image 先


podman pull docker.io/rockylinux/rockylinux

建立行 systemd 的 POD

Containerfile                # which contains instructions for building the image

FROM docker.io/rockylinux/rockylinux:8
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]


podman build --rm -t r8-systemd .

-t imageName                   # 會自動叫 localhost/imageName

--rm                                 # Remove intermediate containers after a successful build (default true).

--file, -f=Containerfile.txt   # Default: Containerfile

Run systemd POD

docker run -dit \
  --privileged \
  --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
  --name mytest \

 * In order to run a container with systemd,
    you will need to mount the cgroups volumes from the host.

Custom POD

# exec - Run a process in a running container

podman exec -it mytest bash

dnf install epel-release
dnf install vim screen wget curl iproute procps-ng passwd
dnf install openssh-server rsyslog

sshd Service start failed

.. sshd[395]: fatal: linux_audit_write_entry failed: Operation not permitted
.. sshd[395]: pam_unix(sshd:session): session closed for user root
.. sshd[395]: fatal: linux_audit_write_entry failed: Operation not permitted
.. sshd[404]: fatal: mm_request_send: write: Broken pipe

原因: podman dropped the audit_write capability by default.



podman run --cap-add AUDIT_WRITE \
-p 22000:22 --expose=22 -dit centos:7 \
/bin/bash -c "yum install -y openssh-server && ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' && /usr/sbin/sshd -Dd"


export & import



Export container’s filesystem contents as a tar archive

 * writes to STDOUT by default
 * The image of the container exported by podman export can be imported by podman import.


Import a tarball to create a filesystem image


export vs save


It contains the same files as the image that started the container but without history and metadata.


preserves the "image" layer information, including all history and metadata


save & load



podman save [options] name[:tag]

Save image to an archive


  • docker-archive
  • oci-archive

* podman save writes to STDOUT by default


podman save > alpine-all.tar alpine


Load an image from container archive

podman load loads an image from either an oci-archive or

    a docker-archive stored on the local machine into container storage.


zcat www-v3.tar.gz | podman load


commit 與 build



Build an image using instructions from Containerfiles


Create new image based on the changed container


--author, -a=author


Include in the committed image any volumes added to the container by

    the --volume or --mount OPTIONS to the podman create and podman run commands.

--format, -f=oci | docker

--change, -c=instruction

Apply the following possible instructions to the created image:

  •     CMD
  •     ENV
  •     EXPOSE
  •     LABEL
  •     ONBUILD
  •     USER
  •     VOLUME
  •     WORKDIR

--message, -m=message

Set commit message for committed image.

IMPORTANT: The message field is not supported in oci format.

--pause, -p              # The default is false.

Pause the container when creating an image.

--squash, -s            # The default is false.

Squash newly built layers into a single new layer.



podman commit -a tim mytest mypod-v1


podman commit
 --change CMD=/bin/bash \
 --change ENTRYPOINT=/bin/sh \
 reverent_golick image-committed




Checkpointing a container stops the container while writing the state of all processes in the container to disk.

This capability requires CRIU 3.11 or later installed on the system.(https://criu.org/Main_Page)

Checkpoints currently work with root containers only.

podman container checkpoint <container_id>

podman container restore <container_id>




podman run -it --rm -d -p 8080:80 --name web nginx:alpine

podman logs web

podman logs --tail 10 web




podman healthcheck run CONTAINER

Runs the healthcheck command defined in a running container manually.

    0 = healthcheck command succeeded
    1 = healthcheck command failed
    125 = an error has occurred

--health-cmd="command" | "["command", "arg1", …]"

The command is a command to be executed inside your container that determines your container health.


  • none: Take no action (default)
  • kill: Kill the container
  • restart: Restart the container.
    Do not combine the restart action with the --restart flag.
    When running inside of a systemd unit, consider using the kill or stop action
    instead to make use of systemd’s restart policy.
  • stop: Stop the container





Restart policy to follow when containers exit.

Restart policy will not take effect if a container is stopped via the podman kill or podman stop commands.

Please note that restart will not restart containers after a system reboot.

Valid policy values are:

  • no : Do not restart containers on exit
  • on-failure[:max_retries]
  • always: Restart containers when they exit, regardless of status
  • unless-stopped: Identical to always

Auto start container


Autostart Podman Containers - Add the container to systemd

podman ps

# NAMES = Container Name

podman generate systemd \
    --new --name NAMES \
    > /etc/systemd/system/NAMES.service


Using this flag will yield unit files that do not expect containers and pods to exist.
Instead, new containers and pods are created based on their configuration files.
"--new" only works on containers and pods created directly via Podman.
It does not work on containers or pods created via the REST API or via podman kube play.

ExecStart=/usr/bin/podman run ...
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id



ExecStart=/usr/bin/podman run \
        --cidfile=%t/%n.ctr-id \
        --cgroups=no-conmon \
        --rm \
        --sdnotify=conmon \
        --replace \
        -dit \
        --privileged \
        --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id

no "--new"

ExecStart=/usr/bin/podman start nginx
ExecStop=/usr/bin/podman stop -t 10 nginx
ExecStopPost=/usr/bin/podman stop -t 10 nginx

systemctl list-unit-files | grep nginx

nginx.service                              disabled

systemctl enable nginx

systemctl start nginx

systemctl status nginx

● nginx.service - Podman container-nginx.service
   Loaded: loaded (/etc/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-10-26 13:27:16 HKT; 5s ago

Stop Container

If you try to run "podman stop nginx",

  => the container will be restarted by systemd because of to the “Restart=on-failure” policy.

More info: systemd restart

systemctl stop nginx


volatile mount


Volatile mounts are not guaranteed to survive a crash.
It is strongly recommended that volatile mounts are only used if data written to the overlay can be recreated without significant effort.

The advantage of mounting with the “volatile” option is that all forms of sync calls to the upper filesystem are omitted.

When overlay is mounted with “volatile” option, the directory “$workdir/work/incompat/volatile” is created.
During next mount, overlay checks for this directory and refuses to mount if present.
This is a strong indicator that user should throw away upper and work directories and create fresh one.


conmon program


When Podman starts a container it actually executes the conmon program, which then executes the OCI Runtime. Conmon is the container monitor. It is a small program whose job is to watch the primary process of the container, and if the container dies, save the exit code. It also holds open the tty of the container, so that it can be attached to later. This is what allows Podman to run in detached mode (backgrounded), so Podman can exit but conmon continues to run. Each container has their own instance of conmon. Conmon waits for the container to exit, gathers and saves the exit code, and then launches a Podman process to complete the container cleanup, by shutting down the network and storage.


man 8 conmon

conmon --version

conmon version 2.1.2
commit: 98e028a5804809ccb49bc099c0d53adc43ef8cc4




It is based on the network stack of gVisor.

Compared to libslirp, gvisor-tap-vsock
brings a configurable DNS server and dynamic port forwarding.

written in pure Go

It running on the host runs a virtual gateway that can be used by the VM


Rocky 8 App



  • /etc/my.cnf.d/
  • /var/lib/mysql/
  • /var/log/mysql/                                # log


  • /etc/nginx
  • /var/log/nginx                                  # log
  • /usr/share/nginx/html

apache & php

  • /etc/httpd
  • /etc/opt/remi/php80/
  • /home/vhosts
  • /var/log/httpd                                   # log
  • /var/opt/remi/php80/log/php-fpm      # log
  • /var/opt/remi/php80/lib/php/session


Cleanup contrainer script




rm -f /etc/*-
dnf clean all
logrotate -f /etc/logrotate.conf
rm /var/log/*-* -f
> /var/log/lastlog
> /var/log/dnf.log
> /var/log/dnf.librepo.log
> /var/log/dnf.rpm.log
> /var/log/lastlog
rm -f /var/log/anaconda/*
history -c




runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.

  • Linux namespaces full support
  • Native support of Linux security features such as Selinux, Apparmor
  • Specifications governed by Open Container Initiative

low-level: runc

high-level: CRI-O, podman, containerd

它與 runC 的關係

Podman 直接調用 OCI runtime(runC), 通過 common 作為容器處理程序的管理工具