{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"摘要:","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"purple"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"雖然與docker有替代關係,但是在“棄用docker”事件中,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"並非是主角。Kubernetes所進行的“棄用docker”的主角是CRI的其他實現方式,而由RedHat推出的","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"則更加前沿。在現實的應用中,","attrs":{}},{"type":"text","text":"docker方興未艾,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","text":"卻已經異軍突起。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#9254DE","name":"purple"}}],"text":"1 podman是什麼?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"(Pod Manager)是一個由RedHat公司推出的容器管理工具,它的定位就是docker的替代品,在使用上與docker的體驗類似。","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"源於CRI-O項目,可以直接訪問OCI的實現(如runC),流程比docker要短。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/64/64f707e3d1c0d144c0ae977f07ebadcc.jpeg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"二者主要的區別在於,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"是一個開源的產品;而docker已經是商業化的產品。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"的開源代碼,由RedHat的OpenShift項目維護。podman.io上面的文檔還不算很健全,作爲普通開發者,將其當成docker去用,難度也不算很大。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://podman.io/","title":null},"content":[{"type":"text","text":"https://podman.io/","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://github.com/containers/podman","title":null},"content":[{"type":"text","text":"https://github.com/containers/podman","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"雖然RedHat推行","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"的方式,還有一些“象牙塔”、“學院派”,但由於docker自身的問題,從開源社區江湖地位的考慮,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"有替代昔日docker地位的趨勢,甚至可以說是大勢所趨。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#9254DE","name":"purple"}}],"text":"2 podman和Docker的主要區別是什麼?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"dockers在實現CRI的時候,它需要一個守護進程,其次需要以root運行,因此這也帶來了安全隱患。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"不需要守護程序,也不需要root用戶運行,從邏輯架構上,比docker更加合理。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在docker的運行體系中,需要多個daemon才能調用到OCI的實現RunC。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/83/8300cada52f4544c65f42585b4c0edd7.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在容器管理的鏈路中,Docker Engine的實現就是dockerd daemon,它在linux中需要以root運行,dockerd調用containerd,containerd調用containerd-shim,然後才能調用runC。顧名思義shim起的作用也就是“墊片”,避免父進程退出影響容器的運訓。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"直接調用OCI runtime(runC),通過common作爲容器進程的管理工具,但不需要dockerd這種以root身份運行的守護進程。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"體系中,有個稱之爲common的守護進程,其運行路徑通常是","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"color","attrs":{"color":"#40A9FF","name":"blue"}}],"text":"/usr/libexec/podman/conmon","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":",它是各個容器進程的父進程,每個容器各有一個,common的父則通常是1號進程。podman中的common其實相當於docker體系中的containerd-shim。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"下圖常用來描述podman與docker的區別。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/5b/5b97c31180f77cc14e69af64c9885a61.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"圖中所體現的事情是,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"不需要守護進程,而dorker需要守護進程。在這個圖的示意中,dorcker的containerd-shim與podman的common被歸在Container一層。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"purple"}}],"text":"3 ","attrs":{}},{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#9254DE","name":"purple"}}],"text":"podman的使用與docker有什麼區別?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"的定位也是與docker兼容,因此在使用上面儘量靠近docker。在使用方面,可以分成兩個方面來說,一是系統構建者的角度,二是使用者的角度。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在系統構建者方面,用","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"的默認軟件,與docker的區別不大,只是在進程模型、進程關係方面有所區別。如果習慣了docker幾個關聯進程的調試方法,在","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"中則需要適應。可以通過pstree命令查看進程的樹狀結構。總體來看,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"比docker要簡單。由於","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"比docker少了一層daemon,因此重啓的機制也就不同了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在使用者方面,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"與docker的命令基本兼容,都包括容器運行時(run/start/kill/ps/inspect),本地鏡像(images/rmi/build)、鏡像倉庫(login/pull/push)等幾個方面。因此podman的命令行工具與docker類似,比如構建鏡像、啓停容器等。甚至可以通過alias docker=podman可以進行替換。因此,即便使用了podman,仍然可以使用docker.io作爲鏡像倉庫,這也是兼容性最關鍵的部分。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"下圖表示docker、podman的二級命令,它們相當接近。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/86/861abb89a05426729f044fd12798e2a4.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"相比docker也缺失了一些功能,比如不支持windows,不支持docker-compoese編排工具。顯然在Kubernetes或者OpenShift體系中,這些並不重要。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":" ","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#9254DE","name":"purple"}}],"text":"4 podman相關的東西還有什麼?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"是github的Containers項目的一部分,這裏面還包括幾個相關的項目,它們都是用go語言組成的。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d9/d9ac5a0df820837b9e9b19aea1782291.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"下面是podman、buildah、skopeo三個軟件的圖標。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/93/93743cf9bea2aabf0ba909182c01f6f7.jpeg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"、buildah、skopeo組成了一個完整的容器工具體系:","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"項目對標的是docker命令的代替,官方說明是","attrs":{}},{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#D46B08","name":"brown"}}],"text":"A tool for managing OCI containers and pods","attrs":{}}]}],"attrs":{}},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":" buildah項目實現的是dockerfile的腳本化執行,官方說明是","attrs":{}},{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#D46B08","name":"brown"}}],"text":"A tool that facilitates building OCI images","attrs":{}}]}],"attrs":{}},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"skopeo項目負責處理鏡像相關的工作,比如檢查、複製、簽名,官方說明是","attrs":{}},{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#D46B08","name":"brown"}}],"text":"Work with remote images registries - retrieving information, images, signing content","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"buildah完成對鏡像的操作,類似docker build,也可以進行push等操作;skopeo完成對鏡像倉庫的操作,包括cp、inspect、delete等操作。它們的功能都比較純粹,它們都是對","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"功能的補充。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在Centos 8中,已經不適用docker作爲默認的容器化工具,替代品也就是使用","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"、buildah、skopeo。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
docker與podman的故事:一個方興未艾,一個異軍突起
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"摘要:","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"purple"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"雖然與docker有替代關係,但是在“棄用docker”事件中,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"並非是主角。Kubernetes所進行的“棄用docker”的主角是CRI的其他實現方式,而由RedHat推出的","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"則更加前沿。在現實的應用中,","attrs":{}},{"type":"text","text":"docker方興未艾,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","text":"卻已經異軍突起。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#9254DE","name":"purple"}}],"text":"1 podman是什麼?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"(Pod Manager)是一個由RedHat公司推出的容器管理工具,它的定位就是docker的替代品,在使用上與docker的體驗類似。","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"源於CRI-O項目,可以直接訪問OCI的實現(如runC),流程比docker要短。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/64/64f707e3d1c0d144c0ae977f07ebadcc.jpeg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"二者主要的區別在於,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"是一個開源的產品;而docker已經是商業化的產品。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"的開源代碼,由RedHat的OpenShift項目維護。podman.io上面的文檔還不算很健全,作爲普通開發者,將其當成docker去用,難度也不算很大。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://podman.io/","title":null},"content":[{"type":"text","text":"https://podman.io/","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://github.com/containers/podman","title":null},"content":[{"type":"text","text":"https://github.com/containers/podman","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"雖然RedHat推行","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"的方式,還有一些“象牙塔”、“學院派”,但由於docker自身的問題,從開源社區江湖地位的考慮,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"有替代昔日docker地位的趨勢,甚至可以說是大勢所趨。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#9254DE","name":"purple"}}],"text":"2 podman和Docker的主要區別是什麼?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"dockers在實現CRI的時候,它需要一個守護進程,其次需要以root運行,因此這也帶來了安全隱患。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"不需要守護程序,也不需要root用戶運行,從邏輯架構上,比docker更加合理。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在docker的運行體系中,需要多個daemon才能調用到OCI的實現RunC。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/83/8300cada52f4544c65f42585b4c0edd7.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在容器管理的鏈路中,Docker Engine的實現就是dockerd daemon,它在linux中需要以root運行,dockerd調用containerd,containerd調用containerd-shim,然後才能調用runC。顧名思義shim起的作用也就是“墊片”,避免父進程退出影響容器的運訓。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"直接調用OCI runtime(runC),通過common作爲容器進程的管理工具,但不需要dockerd這種以root身份運行的守護進程。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"體系中,有個稱之爲common的守護進程,其運行路徑通常是","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"color","attrs":{"color":"#40A9FF","name":"blue"}}],"text":"/usr/libexec/podman/conmon","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":",它是各個容器進程的父進程,每個容器各有一個,common的父則通常是1號進程。podman中的common其實相當於docker體系中的containerd-shim。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"下圖常用來描述podman與docker的區別。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/5b/5b97c31180f77cc14e69af64c9885a61.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"圖中所體現的事情是,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"不需要守護進程,而dorker需要守護進程。在這個圖的示意中,dorcker的containerd-shim與podman的common被歸在Container一層。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"purple"}}],"text":"3 ","attrs":{}},{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#9254DE","name":"purple"}}],"text":"podman的使用與docker有什麼區別?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"的定位也是與docker兼容,因此在使用上面儘量靠近docker。在使用方面,可以分成兩個方面來說,一是系統構建者的角度,二是使用者的角度。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在系統構建者方面,用","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"的默認軟件,與docker的區別不大,只是在進程模型、進程關係方面有所區別。如果習慣了docker幾個關聯進程的調試方法,在","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"中則需要適應。可以通過pstree命令查看進程的樹狀結構。總體來看,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"比docker要簡單。由於","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"比docker少了一層daemon,因此重啓的機制也就不同了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在使用者方面,","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"與docker的命令基本兼容,都包括容器運行時(run/start/kill/ps/inspect),本地鏡像(images/rmi/build)、鏡像倉庫(login/pull/push)等幾個方面。因此podman的命令行工具與docker類似,比如構建鏡像、啓停容器等。甚至可以通過alias docker=podman可以進行替換。因此,即便使用了podman,仍然可以使用docker.io作爲鏡像倉庫,這也是兼容性最關鍵的部分。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"下圖表示docker、podman的二級命令,它們相當接近。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/86/861abb89a05426729f044fd12798e2a4.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"相比docker也缺失了一些功能,比如不支持windows,不支持docker-compoese編排工具。顯然在Kubernetes或者OpenShift體系中,這些並不重要。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":" ","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#9254DE","name":"purple"}}],"text":"4 podman相關的東西還有什麼?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"是github的Containers項目的一部分,這裏面還包括幾個相關的項目,它們都是用go語言組成的。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d9/d9ac5a0df820837b9e9b19aea1782291.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"下面是podman、buildah、skopeo三個軟件的圖標。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/93/93743cf9bea2aabf0ba909182c01f6f7.jpeg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"、buildah、skopeo組成了一個完整的容器工具體系:","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"項目對標的是docker命令的代替,官方說明是","attrs":{}},{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#D46B08","name":"brown"}}],"text":"A tool for managing OCI containers and pods","attrs":{}}]}],"attrs":{}},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":" buildah項目實現的是dockerfile的腳本化執行,官方說明是","attrs":{}},{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#D46B08","name":"brown"}}],"text":"A tool that facilitates building OCI images","attrs":{}}]}],"attrs":{}},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"skopeo項目負責處理鏡像相關的工作,比如檢查、複製、簽名,官方說明是","attrs":{}},{"type":"text","marks":[{"type":"italic","attrs":{}},{"type":"color","attrs":{"color":"#D46B08","name":"brown"}}],"text":"Work with remote images registries - retrieving information, images, signing content","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"buildah完成對鏡像的操作,類似docker build,也可以進行push等操作;skopeo完成對鏡像倉庫的操作,包括cp、inspect、delete等操作。它們的功能都比較純粹,它們都是對","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"功能的補充。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"在Centos 8中,已經不適用docker作爲默認的容器化工具,替代品也就是使用","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#9254DE","name":"user"}},{"type":"strong","attrs":{}}],"text":"podman","attrs":{}},{"type":"text","marks":[{"type":"color","attrs":{"color":"#111F2C","name":"user"}}],"text":"、buildah、skopeo。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章