最後更新: 2022-10-19


  • Podman is using Open Container Initiative (OCI) containers
  • Podman is a daemon-less tool (a single binary command-line)

OCI Runtime


The Open Container Initiative develops specifications for standards on Operating System process and application containers.





dnf install podman

podman -v

podman version 4.1.1

podman version

Client:       Podman Engine
Version:      4.1.1
API Version:  4.1.1
Go Version:   go1.17.12
Built:        Tue Aug  2 15:53:14 2022
OS/Arch:      linux/amd64

systemctl start podman

systemctl enable podman

systemctl status podman

● podman.service - Podman API Service
   Loaded: loaded (/usr/lib/systemd/system/podman.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Wed 2022-10-19 20:58:58 HKT; 6s ago
     Docs: man:podman-system-service(1)
  Process: 6365 ExecStart=/usr/bin/podman $LOGGING system service (code=exited, status=0/SUCCESS)
 Main PID: 6365 (code=exited, status=0/SUCCESS)

Oct 19 20:58:53 VM systemd[1]: Starting Podman API Service...
Oct 19 20:58:53 VM systemd[1]: Started Podman API Service.
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="/usr/bin/podman filtering at log level info"
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Not using native diff for overlay, this may >
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Setting parallel job count to 4"
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="Using systemd socket activation to determine>
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="API service listening on \"/run/podman/podma>
Oct 19 20:58:53 VM podman[6365]: time="DATE" level=info msg="API service listening on \"/run/podman/podma>
Oct 19 20:58:58 VM systemd[1]: podman.service: Succeeded.

# View Podman system information

podman info

  arch: amd64
  buildahVersion: 1.26.2
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v1




'/etc/containers' directory


Policy configuration for image signing.


List of available container image registries such as Docker Registry, RHEL Container image registry, and Fedora Container images registry.


Configuration of default storage for Podman. Includes drivers, location, etc.


Additional registries configuration and image signing


Additional configuration for container images aliases.




Help: man 5 containers-storage.conf


# Default Storage Driver, Must be set for proper operation.
driver = "overlay"

# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"

tree /var/lib/containers/storage

├── libpod
│   └── bolt_state.db
├── mounts
├── overlay
│   ├── backingFsBlockDev
│   └── l
├── overlay-containers
│   └── containers.lock
├── overlay-images
│   └── images.lock
├── overlay-layers
│   └── layers.lock
├── storage.lock
├── tmp
└── userns.lock

將 /var/lib/containers/storage 改成 mount point

systemctl stop podman.socket

mv /var/lib/containers/storage/* /mnt/tmp

touch /var/lib/containers/storage/mountpoint.txt


# Data
UUID="????"     /var/lib/containers/storage xfs noatime 0

mount -a


建立 network



podman network create \
 --subnet \
 --ip-range \
 --gateway MyNet

podman network ls

8b5962b697d7  MyNet       bridge
2f259bab93aa  podman      bridge

podman network inspect MyNet


Other Opt


If not set, the host servers from /etc/resolv.conf is used.

Overwritten: "podman run/create --dns"


Disables the DNS plugin for this network which if enabled
(plugin can perform container to container name resolution)


Restrict external access of this network when using a bridge network.

Note when using the CNI backend DNS will be automatically disabled, see --disable-dns.

When using the macvlan or ipvlan driver with this option no default route will be added to the container.
(Because it bypasses the host network stack no additional restrictions can be set by podman)

After POD are created via the

# Add container to a network

# --ip ip

podman network connect [options] NETWORK CONTAINER

# Remove container from a network

# -f, --force   force removal of container from network

podman network disconnect [options] NETWORK CONTAINER

Network type: Macvlan

With macvlan, the container is given access to a physical network interface on the host.

This interface can configure multiple subinterfaces.

And each subinterface is capable of having its own MAC and IP address.

In the case of Podman containers, the container will present itself as if it is on the same network as the host.

podman network create -d macvlan -o parent=eth0 POD


Basic Usage


podman search rocky

podman pull rocky

Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull quay.io/podman/hello:latest...

Search container image

podman images [options] [IMAGE]

podman images

REPOSITORY            TAG         IMAGE ID      CREATED      SIZE
quay.io/podman/hello  latest      45c8981b04d0  7 hours ago  82.1 kB

podman images db

localhost/db  v2          60e6b9a17ba7  5 days ago  801 MB
localhost/db  v3          9a646ec64180  7 days ago  774 MB


# --detach, -d           
# --interactive, -i      keep stdin open even if not attached.
# --tty, -t                 Allocate a pseudo-TTY

podman run -dit --name mytest hello-world

podman ps [-a]


podman inspect container-name

Useful info

podman inspect test | jq '.[] | keys'

podman inspect test | jq .[0].HostConfig | jq '.Memory, .MemorySwap'

podman inspect test | jq .[0].Mounts

podman inspect test | jq .[0].NetworkSettings.Networks

podman inspect test | jq .[0].Config.Labels

podman inspect test | jq .[0].Config.CreateCommand

podman inspect test | jq .[0].GraphDriver


# either view its ongoing output or to control it interactively

podman attach container-name

P.S. detach from the container

Default: ctrl-p,ctrl-q

Configure the keys sequence using the --detach-keys OPTION

specifying it in the containers.conf file


Execute a command in a running container


# -i, --interactive; -t, --tty

podman exec -it CT-NAME /bin/sh


podman stop container-name


podman rm container-name

Container status

podman stats [container]


  • ID
  • NAME
  • CPU %
  • MEM USAGE / LIMIT  MEM %      
  • NET IO
  • PIDS
  • AVG CPU %


mount & umount



podman mount [options] [container …]

# list all of the currently mounted containers

podman mount

# mount

podman mount containerID1

# 會看到 mount 了在那



podman umount containerID

podman umount --all


podman cp


除了用 mount 外, 可以用 cp 直接抄 data

podman cp [options] [container:]src_path [container:]dest_path



Allow directories to be overwritten with non-directories and vice versa.

By default, podman cp errors out when attempting to overwrite


# From host to a container

podman cp /myapp/app.conf containerID:/myapp/app.conf

# From a container to another container

podman cp containerID1:/myfile.txt containerID2:/tmp





# --filter

podman search --filter=is-official rocky

NAME                          DESCRIPTION
docker.io/library/rockylinux  The official build of Rocky Linux.

# --list-tags

podman search --list-tags docker.io/library/rockylinux

# --limit=limit

Limit the number of results (default 25).


# name[:tag]

podman pull docker.io/library/rockylinux:8

image list

list local image

image tree

podman image tree myrock8

Image ID: b97594aed070
Tags:     [localhost/myrock8:v1 localhost/myrock8:latest]
Size:     431.9MB
Image Layers
├── ID: 44e6e3eb06d8 Size: 201.9MB Top Layer of: [docker.io/rockylinux/rockylinux:8.6]
├── ID: c78d5d722c03 Size: 23.04kB
├── ID: 1220167252e8 Size: 136.2MB
└── ID: 479813204267 Size: 93.69MB Top Layer of: [localhost/myrock8:v1 localhost/myrock8:latest]


podman image inspect myrock8 | jq '.[].RepoTags, .[].RootFS'

  "Type": "layers",
  "Layers": [


Show history of a specified image


Removes one or more images from local storage

tag & untag

tag: Add an additional name to a local image

podman images

localhost/www-v3                 latest      9688b374182e  19 hours ago  602 MB

# If a specified name does not include a tag, :latest will be appended

podman tag 9688b374182e www:v3

localhost/www-v3                 latest      9688b374182e  19 hours ago  602 MB
localhost/www                    v3          9688b374182e  19 hours ago  602 MB

為 image 設定 latest tag

podman tag b97594aed070 myrock8:v1

podman tag myrock8:v1 myrock8

untag: Remove one or more names from an image in the local storage.

# If no name is specified, all names are removed from the image.

podman untag 9688b374182e

<none>                           <none>      9688b374182e  19 hours ago  602 MB

untag 一個名

podman untag b97594aed070 mypod-v2


[1] If a specified name is a short name and does not include a registry,
      localhost/ will be prefixed (e.g., fedora -> localhost/fedora).

[2] If a specified name does not include a tag,
     :latest will be appended (e.g., localhost/fedora -> localhost/fedora:latest).





* docker default 係用 overlay fs, 它是用 volatile mount 的 !!

# mount cgroup readonly (必須是 readonly !!)

--volume /sys/fs/cgroup:/sys/fs/cgroup:ro


# mount Folder to container


-v $volroot/data:/var/lib/mysql


# mount file to container

-v $ssh_key:/root/.ssh/authorized_keys:ro


Network & Firewall


rootful and rootless container networking

The default network mode is slirp4netns
(unprivileged users cannot create networking interfaces on the host)

unprivileged users must use ports 1024 through 65535 as lower ports require root privileges.
=> "-p 8080:80"

Slirp4netns creates a TAP device in the container’s network namespace and connects to the usermode TCP/IP stack.

podman exec t1 ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 76:c3:4b:47:74:90 brd ff:ff:ff:ff:ff:ff

One of the drawbacks of slirp4netns is that the containers are completely isolated from each other.

Network (RUN 時的 Settings)



Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up port redirection on the host system.

to set up port redirection on the host system.


--publish, -p=[[ip:][hostPort]:]containerPort[/protocol]

Publish a container’s port, or range of ports, to the host.

If host IP is set to or not set at all, the port will be bound on all IPs on the host.

By default, Podman will publish TCP ports. To publish a UDP port instead, give udp as protocol.


netstat -ntlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0   *               LISTEN      17053/conmon
tcp        0      0    *               LISTEN      17053/conmon

conmon = /usr/bin/conmon

--expose vs --publish

1) If you specify neither EXPOSE nor -p, the service in the container will only be accessible from inside the container itself.

2) If you EXPOSE a port, the service in the container is not accessible from outside Docker,

    but from inside other Docker containers. So this is good for inter-container communication.

3) If you EXPOSE and -p a port, the service in the container is accessible from anywhere, even outside Docker. -p includes EXPOSE

--network=mode, --net=mode

mode: bridge[:OPTS,…]            # This is the default for rootful containers.

Create a network stack on the default bridge.

You can use the --network option multiple times to specify additional networks.


ip=IPv4                   # Specify a static ipv4 address for this container

interface_name    # Specify a name for the created network interface inside the container


--network bridge:ip=,mac=44:33:22:11:00:99

mode: <network name or ID>[:OPTIONS,…]

Connect to a user-defined network;

This is the network name or ID from a network created by "podman network create".

它與 "mode: bridge" 有同樣的 OPTS

mode: private

Create a new namespace for the container.

This will use the bridge mode for rootful containers and slirp4netns for rootless ones.


List port expose

# port [container|-a]              List port mappings for a container

podman port nginx

80/tcp ->
443/tcp ->


每當 "firewall-cmd --reload" 後. 必須行以下其中一句 CLI !!

podman network reload container-ID

podman network reload --all





Docker has a default entrypoint which is /bin/sh -c but does not have a default command.

The command is run via the entrypoint

the actual thing that gets executed is "/bin/sh -c bash"


Add a line to /etc/hosts. The format is


The --add-host option can be set multiple times.

 * 主機 hosts 的內容本身會加到 container, 不用 "--add-host="


Set custom DNS servers.


Specify a static IPv4 address for the container
This option can only be used if the container is joined to only a single network
指定的 IP 要在 --ip-range 內


Set timezone in container.



--env, -e=env

Set environment variables.


--hostuser=name, -h=name

Add a user account to /etc/passwd from the host to the container. The Username or UID must exist on the host system.


Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the --user option.


Customize the entry that is written to the /etc/passwd file within the container when --passwd is used.

--user, -u=user[:group]

Sets the username or UID used and, optionally, the groupname or GID for the specified command.

Both user and group may be symbolic or numeric.

--label, -l=key=value

Add metadata to a container.


Attach a filesystem mount to the container

Current supported mount TYPEs are bind, volume, image, tmpfs and devpts.

--secret=secret[,opt=opt …]

A secret is a blob of sensitive data which a container needs at runtime but should not be stored in the image or in source control,

such as usernames and passwords, TLS certificates and keys, SSH keys or other important generic strings or binary content (up to 500 kb in size).

When secrets are specified as type mount, the secrets are copied and mounted into the container when a container is created.


Export & Import



Export container’s filesystem contents as a tar archive

 * writes to STDOUT by default
 * The image of the container exported by podman export can be imported by podman import.


Import a tarball to create a filesystem image

Notes: export vs save


It contains the same files as the image that started the container but without history and metadata.


preserves the "image" layer information, including all history and metadata


Save & Load



Save image to an archive

podman save [options] name[:tag]

* podman save writes to STDOUT by default

* 如果有 tag, 就必須落 tag


  • docker-archive    # default
  • oci-archive
  • oci-dir
  • docker-dir


Compress tarball image layers when pushing to a directory using the 'dir' transport.


podman images                                        # list images

podman save alpine > alpine-all.tar

podman save -o alpine.tar alpine:2.6


Load an image from container archive

podman load loads an image from either an oci-archive or

    a docker-archive stored on the local machine into container storage.


docker load -i  db.tar

44e6e3eb06d8: Loading layer  201.9MB/201.9MB
ce22a1c72a32: Loading layer  23.04kB/23.04kB
db2bf7c96010: Loading layer  136.2MB/136.2MB
08d4b0b64555: Loading layer  435.8MB/435.8MB
a35fb4407103: Loading layer  23.64MB/23.64MB
937cb9e03c7c: Loading layer   3.67MB/3.67MB
Loaded image: localhost/db:v1

zcat www-v3.tar.gz | podman load


commit 與 build



Build an image using instructions from "Dockerfile" / "Containerfiles"

# 指定 file 名

podman build -f Dockerfile.v3

 * 當沒有加 -t 時 podman images 顯示的 REPOSITORY 及 TAG 都會是 "<none>"
    (--tag, -t imageName)


Create new image based on the changed container



Include in the committed image any volumes added to the container by

    the --volume or --mount OPTIONS to the podman create and podman run commands.

--format, -f=                        # oci | docker

--change, -c=instruction

Apply the following possible instructions to the created image:

  • CMD
  • ENV
  • USER

--author, -a=author

--message, -m=message

Set commit message for committed image.

IMPORTANT: The message field is not supported in oci format.

--pause, -p              # The default is false.

Pause the container when creating an image.

--squash, -s             # The default is false.

Squash newly built layers into a single new layer.


podman commit \
  --change CMD=/bin/bash \
  --author tim \
  mypod-v1 mypod-v2




Checkpointing a container stops the container while writing the state of all processes in the container to disk.

This capability requires CRIU 3.11 or later installed on the system.(https://criu.org/Main_Page)

Checkpoints currently work with root containers only.

podman container checkpoint <container_id>

podman container restore <container_id>




podman run -it --rm -d -p 8080:80 --name web nginx:alpine

podman logs web

podman logs -f web                    # Follow log output. Default is false.

podman logs --tail 10 web




podman healthcheck run CONTAINER

Runs the healthcheck command defined in a running container manually.

    0 = healthcheck command succeeded
    1 = healthcheck command failed
    125 = an error has occurred

--health-cmd="command" | "["command", "arg1", …]"

The command is a command to be executed inside your container that determines your container health.


  • none: Take no action (default)
  • kill: Kill the container
  • restart: Restart the container.
    Do not combine the restart action with the --restart flag.
    When running inside of a systemd unit, consider using the kill or stop action
    instead to make use of systemd’s restart policy.
  • stop: Stop the container





Restart policy to follow when containers exit.

Restart policy will not take effect if a container is stopped via the podman kill or podman stop commands.

Please note that restart will not restart containers after a system reboot.

Valid policy values are:

  • no : Do not restart containers on exit
  • on-failure[:max_retries]
  • always: Restart containers when they exit, regardless of status
  • unless-stopped: Identical to always


Volatile mount


Volatile mounts are not guaranteed to survive a crash.
It is strongly recommended that volatile mounts are only used if data written to the overlay can be recreated without significant effort.

The advantage of mounting with the “volatile” option is that all forms of sync calls to the upper filesystem are omitted.

When overlay is mounted with “volatile” option, the directory “$workdir/work/incompat/volatile” is created.
During next mount, overlay checks for this directory and refuses to mount if present.
This is a strong indicator that user should throw away upper and work directories and create fresh one.


conmon program


When Podman starts a container it actually executes the conmon program, which then executes the OCI Runtime. Conmon is the container monitor. It is a small program whose job is to watch the primary process of the container, and if the container dies, save the exit code. It also holds open the tty of the container, so that it can be attached to later. This is what allows Podman to run in detached mode (backgrounded), so Podman can exit but conmon continues to run. Each container has their own instance of conmon. Conmon waits for the container to exit, gathers and saves the exit code, and then launches a Podman process to complete the container cleanup, by shutting down the network and storage.


man 8 conmon

conmon --version

conmon version 2.1.2
commit: 98e028a5804809ccb49bc099c0d53adc43ef8cc4




It is based on the network stack of gVisor.

Compared to libslirp, gvisor-tap-vsock
brings a configurable DNS server and dynamic port forwarding.

written in pure Go

It running on the host runs a virtual gateway that can be used by the VM


Rocky 8 App



  • /etc/my.cnf.d/
  • /var/lib/mysql/
  • /var/log/mysql/                                # log


  • /etc/nginx
  • /var/log/nginx                                  # log
  • /usr/share/nginx/html

apache & php

  • /etc/httpd
  • /etc/opt/remi/php80/
  • /home/vhosts
  • /var/log/httpd                                   # log
  • /var/opt/remi/php80/log/php-fpm      # log
  • /var/opt/remi/php80/lib/php/session


Cleanup contrainer script




rm -f /etc/*-
dnf clean all
logrotate -f /etc/logrotate.conf
rm /var/log/*-* -f
> /var/log/lastlog
> /var/log/dnf.log
> /var/log/dnf.librepo.log
> /var/log/dnf.rpm.log
> /var/log/lastlog
rm -f /var/log/anaconda/*
history -c




runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.

  • Linux namespaces full support
  • Native support of Linux security features such as Selinux, Apparmor
  • Specifications governed by Open Container Initiative

low-level: runc

high-level: CRI-O, podman, containerd

它與 runC 的關係

Podman 直接調用 OCI runtime(runC), 通過 common 作為容器處理程序的管理工具


更改 Image 的 Startup 的 ENTRYPOINT


查看當前的 CMD

# --format=

podman inspect -f '{{.Config.Cmd}}' <image:tag>


# Override the default ENTRYPOINT from the image.

podman run -it --entrypoint=/bin/bash IMAGE


ENTRYPOINT is used to specify the main command that should be executed when the container starts.
More options can be passed in via the COMMAND.

CMD is used to provide default arguments for the ENTRYPOINT or
to specify the command to be executed if no ENTRYPOINT is specified.


ENTRYPOINT ["/usr/sbin/apache2ctl"]


Login & Logout Registry


  • login
  • Authentication file
  • Logout


If the registry is not specified, the first registry under [registries.search] from registries.conf will be used.


podman login --get-login AC_ID.dkr.ecr.ap-east-1.amazonaws.com


Authentication file

# XDG_RUNTIME_DIR = /run/user/0


        "auths": {
                "AC_ID.dkr.ecr.ap-east-1.amazonaws.com": {
                        "auth": "..."


Remove the cached credentials for registries in the auth file

podman logout [options] registry


--all, -a