好吧，我其實想說的是podman :)

podman（Pod Manager）是一個由RedHat公司推出的容器管理工具，它的定位就是docker的替代品，在使用上與docker的體驗類似。podman源於CRI-O專案，可以直接訪問OCI的實現（如runC），流程比docker要短。

和Docker相比，podman無需root啟動的守護程序，所以在安全性方面更勝一籌。

圖片來自曉川釋出於InfoQ

話不多說，我們直接來體驗一把：

首先安裝，以CentOS為例：

[root@test-vm001 ~]# yum -y install podman

檢查一下版本：

[root@test-vm001 ~]# podman -vpodman version 2.0.5

檢視一下支援的命令，和docker基本一致：

[root@test-vm001 ~]# podman --helpManage pods, containers and imagesUsage:  podman [flags]  podman [command]Available Commands:  attach      Attach to a running container  auto-update Auto update containers according to their auto-update policy  build       Build an image using instructions from Containerfiles  commit      Create new image based on the changed container  container   Manage containers  cp          Copy files/folders between a container and the local filesystem  create      Create but do not start a container  diff        Display the changes to the object's file system  events      Show podman events  exec        Run a process in a running container  export      Export container's filesystem contents as a tar archive  generate    Generate structured data based on containers and pods.  healthcheck Manage health checks on containers  help        Help about any command  history     Show history of a specified image  image       Manage images  images      List images in local storage  import      Import a tarball to create a filesystem image  info        Display podman system information  init        Initialize one or more containers  inspect     Display the configuration of object denoted by ID  kill        Kill one or more running containers with a specific signal  load        Load an image from container archive  login       Login to a container registry  logout      Logout of a container registry  logs        Fetch the logs of one or more containers  manifest    Manipulate manifest lists and image indexes  mount       Mount a working container's root filesystem  network     Manage networks  pause       Pause all the processes in one or more containers  play        Play a pod and its containers from a structured file.  pod         Manage pods  port        List port mappings or a specific mapping for the container  ps          List containers  pull        Pull an image from a registry  push        Push an image to a specified destination  restart     Restart one or more containers  rm          Remove one or more containers  rmi         Removes one or more images from local storage  run         Run a command in a new container  save        Save image to an archive  search      Search registry for image  start       Start one or more containers  stats       Display a live stream of container resource usage statistics  stop        Stop one or more containers  system      Manage podman  tag         Add an additional name to a local image  top         Display the running processes of a container  unmount     Unmounts working container's root filesystem  unpause     Unpause the processes in one or more containers  unshare     Run a command in a modified user namespace  untag       Remove a name from a local image  version     Display the Podman Version Information  volume      Manage volumes  wait        Block on one or more containersFlags:      --cgroup-manager string     Cgroup manager to use ("cgroupfs"|"systemd") (default "systemd")      --cni-config-dir string     Path of the configuration directory for CNI networks (default "/usr/libexec/cni")      --conmon string             Path of the conmon binary  -c, --connection string         Connection to use for remote Podman service      --events-backend string     Events backend to use ("file"|"journald"|"none") (default "file")      --help                      Help for podman      --hooks-dir strings         Set the OCI hooks directory path (may be set multiple times) (default [/usr/share/containers/oci/hooks.d])      --identity string           path to SSH identity file, (CONTAINER_SSHKEY)      --log-level string          Log messages above specified level (debug, info, warn, error, fatal, panic) (default "error")      --namespace string          Set the libpod namespace, used to create separate views of the containers and pods on the system      --network-cmd-path string   Path to the command for configuring the network  -r, --remote                    Access remote Podman service (default false)      --root string               Path to the root directory in which data, including images, is stored      --runroot string            Path to the 'run directory' where all state information is stored      --runtime string            Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc      --storage-driver string     Select which storage driver is used to manage storage of images and containers (default is overlay)      --storage-opt stringArray   Used to pass an option to the storage driver      --syslog                    Output logging information to syslog as well as the console (default false)      --tmpdir string             Path to the tmp directory for libpod state content.                                  Note: use the environment variable 'TMPDIR' to change the temporary storage location for container images, '/var/tmp'.      --url string                URL to access Podman service (CONTAINER_HOST) (default "unix:/run/podman/podman.sock")  -v, --version                   Version of PodmanUse "podman [command] --help" for more information about a command.

搜尋一下映象，podman會去redhat和docker hub搜尋映象（省略了絕大多數輸出）：

[root@test-vm001 ~]# podman search httpdredhat.com   registry.access.redhat.com/rhscl/httpd-24-rhel7                               Apache HTTP 2.4 Server                            0redhat.com   registry.access.redhat.com/cloudforms46-beta/cfme-openshift-httpd             CloudForms is a management and automation pl...   0redhat.io    registry.redhat.io/rhscl/httpd-24-rhel7                                       Apache HTTP 2.4 Server                            0docker.io    docker.io/library/httpd                                                       The Apache HTTP Server Project                    3318    [OK]

啟動一個容器：

[root@test-vm001 ~]# podman run -dt -p 8080:8080/tcp registry.fedoraproject.org/f29/httpdTrying to pull registry.fedoraproject.org/f29/httpd...Getting image source signaturesCopying blob d77ff9f653ce doneCopying blob aaf5ad2e1aa3 doneCopying blob 7692efc5f81c doneCopying config 25c76f9dcd doneWriting manifest to image destinationStoring signaturesefe658b567ec3758524abe65248a7045374e4a15b9493d8885889cfffce8d407

檢視一下執行的容器：

[root@test-vm001 ~]# podman psCONTAINER ID  IMAGE                                        COMMAND               CREATED         STATUS             PORTS                   NAMESefe658b567ec  registry.fedoraproject.org/f29/httpd:latest  /usr/bin/run-http...  24 seconds ago  Up 23 seconds ago  0.0.0.0:8080->8080/tcp  reverent_austin

嘗試訪問一下容器提供的服務：

[root@test-vm001 ~]# curl http://localhost:8080

從輸出結果可以看到容器已經執行起來了。

檢視一下程序，發現httpd容器是podman的子程序：

[root@test-vm001 ~]# ps -ef | grep 8919root        8919       1  0 07:34 ?        00:00:00 /usr/bin/conmon --api-vers...1001        8930    8919  0 07:34 pts/0    00:00:00 httpd -D FOREGROUNDroot        9290    5136  0 07:46 pts/0    00:00:00 grep --color=auto 8919

podman用來管理容器及pod，需要構建映象的話，需要使用到buildah。此外還有操作遠端倉庫及映象簽名的工具skopeo，我們下次再說。