podman on Astroicers Bloghttps://astroicers.link/tags/podman.htmlRecent content in podman on Astroicers BlogHugo -- gohugo.ioenTue, 28 Apr 2026 00:00:00 +0000Podman 無守護程序容器引擎https://astroicers.link/p/podman-%E7%84%A1%E5%AE%88%E8%AD%B7%E7%A8%8B%E5%BA%8F%E5%AE%B9%E5%99%A8%E5%BC%95%E6%93%8E.htmlTue, 28 Apr 2026 00:00:00 +0000https://astroicers.link/p/podman-%E7%84%A1%E5%AE%88%E8%AD%B7%E7%A8%8B%E5%BA%8F%E5%AE%B9%E5%99%A8%E5%BC%95%E6%93%8E.html<h2 id="專案簡介">專案簡介</h2> <p><a class="link" href="https://github.com/containers/podman" target="_blank" rel="noopener" >Podman</a> 是一個無守護程序(daemonless)的容器引擎,可以作為 Docker 的替代品。支援 rootless 容器、Pod 管理,與 Docker CLI 完全相容。</p> <p><strong>GitHub Stars</strong>: 30K+</p> <h2 id="主要功能">主要功能</h2> <ul> <li><strong>無守護程序</strong> - 直接執行,無需 daemon</li> <li><strong>Rootless</strong> - 無需 root 權限</li> <li><strong>OCI 相容</strong> - 標準容器格式</li> <li><strong>Pod 支援</strong> - 原生 Pod 管理</li> <li><strong>Docker 相容</strong> - 相同的 CLI 指令</li> </ul> <h2 id="安裝">安裝</h2> <h3 id="ubuntudebian">Ubuntu/Debian</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt update </span></span><span class="line"><span class="cl">sudo apt install podman </span></span></code></pre></td></tr></table> </div> </div><h3 id="fedorarhel">Fedora/RHEL</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dnf install podman </span></span></code></pre></td></tr></table> </div> </div><h3 id="macos">macOS</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brew install podman </span></span><span class="line"><span class="cl">podman machine init </span></span><span class="line"><span class="cl">podman machine start </span></span></code></pre></td></tr></table> </div> </div><h2 id="基本使用">基本使用</h2> <h3 id="docker-相容指令">Docker 相容指令</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 執行容器</span> </span></span><span class="line"><span class="cl">podman run -d -p 8080:80 nginx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 列出容器</span> </span></span><span class="line"><span class="cl">podman ps </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 停止容器</span> </span></span><span class="line"><span class="cl">podman stop &lt;container-id&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 刪除容器</span> </span></span><span class="line"><span class="cl">podman rm &lt;container-id&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看日誌</span> </span></span><span class="line"><span class="cl">podman logs &lt;container-id&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="別名設定">別名設定</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 可以設定 alias</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">docker</span><span class="o">=</span>podman </span></span></code></pre></td></tr></table> </div> </div><h2 id="映像管理">映像管理</h2> <h3 id="拉取和推送">拉取和推送</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 從 Docker Hub 拉取</span> </span></span><span class="line"><span class="cl">podman pull docker.io/nginx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 從其他 Registry</span> </span></span><span class="line"><span class="cl">podman pull quay.io/podman/hello </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 推送映像</span> </span></span><span class="line"><span class="cl">podman push myimage:tag registry.example.com/myimage:tag </span></span></code></pre></td></tr></table> </div> </div><h3 id="建立映像">建立映像</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 使用 Dockerfile</span> </span></span><span class="line"><span class="cl">podman build -t myapp:latest . </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 使用 Containerfile(推薦)</span> </span></span><span class="line"><span class="cl">podman build -f Containerfile -t myapp:latest . </span></span></code></pre></td></tr></table> </div> </div><h3 id="映像管理-1">映像管理</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 列出映像</span> </span></span><span class="line"><span class="cl">podman images </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 刪除映像</span> </span></span><span class="line"><span class="cl">podman rmi &lt;image-id&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 清理未使用</span> </span></span><span class="line"><span class="cl">podman image prune -a </span></span></code></pre></td></tr></table> </div> </div><h2 id="rootless-容器">Rootless 容器</h2> <h3 id="設定">設定</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 檢查 subuid/subgid</span> </span></span><span class="line"><span class="cl">cat /etc/subuid </span></span><span class="line"><span class="cl">cat /etc/subgid </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 如果沒有,新增</span> </span></span><span class="line"><span class="cl">sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 <span class="nv">$USER</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="執行">執行</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 以普通使用者執行</span> </span></span><span class="line"><span class="cl">podman run -d nginx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 使用者命名空間</span> </span></span><span class="line"><span class="cl">podman unshare cat /proc/self/uid_map </span></span></code></pre></td></tr></table> </div> </div><h3 id="端口限制">端口限制</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 非 root 無法綁定 &lt; 1024 端口</span> </span></span><span class="line"><span class="cl"><span class="c1"># 使用高端口</span> </span></span><span class="line"><span class="cl">podman run -d -p 8080:80 nginx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 或設定權限</span> </span></span><span class="line"><span class="cl">sudo sysctl net.ipv4.ip_unprivileged_port_start<span class="o">=</span><span class="m">80</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="pod-管理">Pod 管理</h2> <h3 id="建立-pod">建立 Pod</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 建立 Pod</span> </span></span><span class="line"><span class="cl">podman pod create --name mypod -p 8080:80 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 在 Pod 中運行容器</span> </span></span><span class="line"><span class="cl">podman run -d --pod mypod nginx </span></span><span class="line"><span class="cl">podman run -d --pod mypod redis </span></span></code></pre></td></tr></table> </div> </div><h3 id="管理-pod">管理 Pod</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 列出 Pod</span> </span></span><span class="line"><span class="cl">podman pod ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Pod 狀態</span> </span></span><span class="line"><span class="cl">podman pod stats mypod </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 停止 Pod</span> </span></span><span class="line"><span class="cl">podman pod stop mypod </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 刪除 Pod</span> </span></span><span class="line"><span class="cl">podman pod rm mypod </span></span></code></pre></td></tr></table> </div> </div><h3 id="pod-yaml">Pod YAML</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 從 Pod 產生 YAML</span> </span></span><span class="line"><span class="cl">podman generate kube mypod &gt; mypod.yaml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 從 YAML 建立 Pod</span> </span></span><span class="line"><span class="cl">podman play kube mypod.yaml </span></span></code></pre></td></tr></table> </div> </div><h2 id="podman-compose">Podman Compose</h2> <h3 id="安裝-1">安裝</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">pip install podman-compose </span></span></code></pre></td></tr></table> </div> </div><h3 id="使用">使用</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 啟動</span> </span></span><span class="line"><span class="cl">podman-compose up -d </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 停止</span> </span></span><span class="line"><span class="cl">podman-compose down </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 日誌</span> </span></span><span class="line"><span class="cl">podman-compose logs </span></span></code></pre></td></tr></table> </div> </div><h3 id="docker-composeyml">docker-compose.yml</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;3.8&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">web</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;8080:80&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./html:/usr/share/nginx/html</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">db</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">postgres</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">POSTGRES_PASSWORD</span><span class="p">:</span><span class="w"> </span><span class="l">secret</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="quadletsystemd-整合">Quadlet(Systemd 整合)</h2> <h3 id="建立服務">建立服務</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># ~/.config/containers/systemd/webapp.container</span> </span></span><span class="line"><span class="cl"><span class="k">[Container]</span> </span></span><span class="line"><span class="cl"><span class="na">Image</span><span class="o">=</span><span class="s">docker.io/nginx</span> </span></span><span class="line"><span class="cl"><span class="na">PublishPort</span><span class="o">=</span><span class="s">8080:80</span> </span></span><span class="line"><span class="cl"><span class="na">Volume</span><span class="o">=</span><span class="s">./html:/usr/share/nginx/html</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[Service]</span> </span></span><span class="line"><span class="cl"><span class="na">Restart</span><span class="o">=</span><span class="s">always</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[Install]</span> </span></span><span class="line"><span class="cl"><span class="na">WantedBy</span><span class="o">=</span><span class="s">default.target</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="管理">管理</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 重新載入</span> </span></span><span class="line"><span class="cl">systemctl --user daemon-reload </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 啟動</span> </span></span><span class="line"><span class="cl">systemctl --user start webapp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 開機啟動</span> </span></span><span class="line"><span class="cl">systemctl --user <span class="nb">enable</span> webapp </span></span></code></pre></td></tr></table> </div> </div><h2 id="網路">網路</h2> <h3 id="建立網路">建立網路</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 建立</span> </span></span><span class="line"><span class="cl">podman network create mynet </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 使用網路</span> </span></span><span class="line"><span class="cl">podman run -d --network mynet --name web nginx </span></span><span class="line"><span class="cl">podman run -d --network mynet --name db postgres </span></span></code></pre></td></tr></table> </div> </div><h3 id="網路類型">網路類型</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Bridge(預設)</span> </span></span><span class="line"><span class="cl">podman network create --driver bridge mynet </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 主機網路</span> </span></span><span class="line"><span class="cl">podman run --network host nginx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 無網路</span> </span></span><span class="line"><span class="cl">podman run --network none nginx </span></span></code></pre></td></tr></table> </div> </div><h2 id="volume-管理">Volume 管理</h2> <h3 id="建立-volume">建立 Volume</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 建立</span> </span></span><span class="line"><span class="cl">podman volume create mydata </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 使用</span> </span></span><span class="line"><span class="cl">podman run -v mydata:/data nginx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 列出</span> </span></span><span class="line"><span class="cl">podman volume ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 刪除</span> </span></span><span class="line"><span class="cl">podman volume rm mydata </span></span></code></pre></td></tr></table> </div> </div><h2 id="安全功能">安全功能</h2> <h3 id="無權限容器">無權限容器</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 移除所有 capabilities</span> </span></span><span class="line"><span class="cl">podman run --cap-drop<span class="o">=</span>all nginx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 只保留必要的</span> </span></span><span class="line"><span class="cl">podman run --cap-drop<span class="o">=</span>all --cap-add<span class="o">=</span>net_bind_service nginx </span></span></code></pre></td></tr></table> </div> </div><h3 id="selinux">SELinux</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 啟用 SELinux 標籤</span> </span></span><span class="line"><span class="cl">podman run -v /data:/data:Z nginx </span></span></code></pre></td></tr></table> </div> </div><h3 id="唯讀根檔案系統">唯讀根檔案系統</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">podman run --read-only nginx </span></span></code></pre></td></tr></table> </div> </div><h2 id="與-docker-差異">與 Docker 差異</h2> <table> <thead> <tr> <th>功能</th> <th>Docker</th> <th>Podman</th> </tr> </thead> <tbody> <tr> <td>守護程序</td> <td>需要</td> <td>不需要</td> </tr> <tr> <td>Rootless</td> <td>選配</td> <td>預設</td> </tr> <tr> <td>Swarm</td> <td>支援</td> <td>不支援</td> </tr> <tr> <td>Compose</td> <td>原生</td> <td>podman-compose</td> </tr> <tr> <td>Pod</td> <td>不支援</td> <td>原生支援</td> </tr> </tbody> </table> <h2 id="相關連結">相關連結</h2> <ul> <li><a class="link" href="https://github.com/containers/podman" target="_blank" rel="noopener" >GitHub Repository</a></li> <li><a class="link" href="https://podman.io/docs" target="_blank" rel="noopener" >官方文件</a></li> </ul> <h2 id="延伸閱讀">延伸閱讀</h2> <ul> <li><a class="link" href="https://astroicers.link/p/docker-basic-concepts/" >Docker 基本概念</a></li> <li><a class="link" href="https://astroicers.link/p/docker-rootless/" >Docker Rootless 模式</a></li> <li><a class="link" href="https://astroicers.link/p/kubernetes-namespace/" >Kubernetes 入門</a></li> </ul>