二零二六年容器运行时之变:Podman、Lima、containerd,及Docker独占之终
Docker非独占之局矣。Podman渐臻成熟,Lima使macOS容器得用,containerd成生产标准。二零二六年,择容器运行时,须实明己之选。此诚直言之析也。
Docker独占已绝
Docker之盛,恒在便捷,非在技优。其以根权限运行之Docker守护进程(dockerd),专有之命令行接口,及封闭之生态,皆为折衷。至二〇二六年,其替代品已备生产之用,适于多数之用例。
Podman:无守护进程之Docker兼容方案
Podman遂为慎密之众所宗。无守护神,则无根权之滥,无守护神之崩,且 systemd 之融贯愈善。
安装与配置
# macOS
brew install podman
podman machine init
podman machine start
# Linux (Fedora/RHEL already has it)
sudo dnf install podman
# Verify
podman run --rm docker.io/library/alpine echo "Podman works!"
无魔之架构
# Docker: daemon-based (root privilege required)
# dockerd runs as root, all containers are children of root process
# Podman: daemon-free (user privilege)
# Each container runs as a child of your user process
# No root daemon = no root vulnerabilities
# Podman 5.x (2026) features:
# - Rootless containers by default
# - Pods (like Kubernetes pods)
# - cgroups v2 fully supported
# - Kubernetes YAML support (podman generate kube)
# - Docker-compatible CLI (alias docker=podman works)
群组如 Kubernetes
# Create a pod with multiple containers
podman pod create --name myapp-pod \
-p 8080:80 \
-p 5432:5432
# Add containers to the pod
podman run -d --pod myapp-pod --name nginx nginx:alpine
podman run -d --pod myapp-pod --name postgres postgres:16
# All containers in the pod share the network namespace
# Access localhost:80 → nginx
# Access localhost:5432 → postgres
# Generate Kubernetes YAML from the pod
podman generate kube myapp-pod > myapp.yaml
# Now deploy to Kubernetes with zero changes
无根容器
# Podman runs as your user, not root
$ podman run --rm alpine id
uid=0(root) gid=0(root)
# Wait, root? This is actually correct inside the container
# The container's root is mapped to an unprivileged user on the host
# Check on the host
podman unshare cat /proc/self/uid_map
# Shows: 0 1000 1 (container root = host user 1000)
# This means even if a container escapes, it has limited host access
Dockerfile 兼容
# Podman uses Dockerfiles directly
# Just point to your existing Dockerfiles
podman build -t myapp:latest .
podman push myapp:latest docker://registry.example.com/myapp:latest
# or
podman push myapp:latest containers://registry.example.com/myapp:latest
# The container registries support both:
# docker:// (Docker registry protocol)
# containers:// (OCI registry protocol)
利马:macOS之容器,实能运作
Docker Desktop于macOS,素为折衷:全Linux之虚拟机运行Docker。利马予尔同效,而费损减焉。
Docker Desktop于macOS之弊
# Docker Desktop:
# - Runs a full Alpine Linux VM (2-4GB RAM)
# - Shares your file system via osxfs (slow)
# - Virtual USB/Network stack
# - $0-$21/month depending on company size
# Lima:
# - Uses macOS native virtualization (Hypervisor.framework)
# - Better performance
# - Native file sharing (virtiofs)
# - Free and open source
利马之设置
# Install
brew install lima
# Create a template
limactl start
# It creates an Alpine Linux VM with:
# - containerd + nerdctl
# - BuildKit
# - BuildPull-Through caching
# - Rootful + Rootless support
# Use it like Docker
limactl shell default docker build -t myapp .
limactl shell default docker run -p 8080:80 myapp
自定义利马配置
# lima.yaml (or any .yaml in ~/.lima/_config/)
images:
- location: "https://deps.sh/lima/alpine/3.19.1/lima.yaml"
arch: "x86_64"
- location: "https://deps.sh/lima/alpine/3.19.1/lima.yaml"
arch: "aarch64"
provision:
- mode: system
script: |
# Install containerd and dependencies
apk add --no-cache \
containerd \
docker \
docker-cli-compose \
buildkit
- mode: user
script: |
# User-level setup
systemctl --user enable containerd
systemctl --user start containerd
provision_scripts:
- mode: system
script: |
cat > /etc/docker/daemon.json <<'EOF'
{
"registry-mirrors": ["https://mirror.gcr.io"],
"storage-driver": "overlay2"
}
EOF
rc-service docker start
mounts:
- location: "~"
writable: true
- location: "/tmp/lima"
writable: true
networks:
- lima: bridged
cpu: 4
memory: 8GB
disk: 100GB
containerd:生产标准
containerd乃运行于Docker及Kubernetes之内者。汝可直用之,以行简易、更安之部署.
为何直用containerd
# Docker stack (Docker Inc.'s product):
# docker CLI → dockerd (daemon) → containerd → runc → containers
# containerd directly:
# ctr CLI (or nerdctl) → containerd → runc → containers
# Benefits:
# - Smaller attack surface (no dockerd)
# - Direct access to OCI images
# - Better integration with Kubernetes
# - Simpler debugging
使用ctr(containerd CLI)
# Install
apt install containerd
# Pull images
ctr images pull docker.io/library/nginx:alpine
# List images
ctr images ls
# Run containers
ctr run -t --rm docker.io/library/alpine:latest test-container ash
# Manage namespaces (like docker ps)
ctr ns ls
ctr -n k8s.io containers ls
nerdctl: Docker相容CLI於containerd
# Install nerdctl
brew install nerdctl
# nerdctl works like docker but uses containerd
nerdctl build -t myapp:latest .
nerdctl run -p 8080:80 myapp:latest
nerdctl compose up
# Extra features nerdctl adds:
# - Image encryption (--encrypt)
# - BuildKit with containerd snapshotter
# - Gzip compression for images
# - Lazy pulling (stargz)
BuildKit: 以Cache掛載,建構更速
BuildKit者, Docker/Podman/containerd之现代筑造之具也。其能御并行筑造,善蓄缓存,且于层之管理更为精效。
BuildKit.toml
# /etc/buildkit/buildkitd.toml
[registry."docker.io"]
mirrors = ["registry.docker.io"]
[registry."gcr.io"]
insecure = true # For air-gapped environments
[worker.oci]
max-parallelism = 4 # Limit concurrent builds
[driver]
snapshotter = "overlayfs" # Faster than native
蓄缓存之筑造令
# Build with inline cache (embed cache metadata in image)
docker build --build-arg BUILDKIT_INLINE_CACHE=1 -t myapp:latest .
# Build with cache mount (persist package manager caches)
docker build -t myapp:latest . <<'EOF'
# syntax=docker/dockerfile:1.7
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN --mount=type=cache,target=/root/.npm \
npm ci --only=production
COPY . .
EOF
# The npm cache persists across builds
# `npm ci` runs with the cached node_modules
多平台筑造
# Build for multiple architectures simultaneously
docker buildx create --use
docker buildx inspect --bootstrap
docker buildx build \
--platform linux/amd64,linux/arm64 \
--tag myapp:latest \
--push \
.
# This builds simultaneously on:
# - amd64 (Intel/AMD)
# - arm64 (Apple Silicon, ARM servers)
# and pushes a manifest list to the registry
Kubernetes 配合 containerd
# Kubernetes node configuration for containerd
# /etc/containerd/config.toml
version = 2
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "registry.k8s.io/pause:3.9"
[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"
snapshotter = "overlayfs"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
privileged_without_host_devices = false
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
BinaryName = "/usr/bin/runc"
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
决策框架
| 工具 | 最佳适用 | 安装 | 复杂度 |
|---|---|---|---|
| Docker | 初学者,跨平台开发 | 简易 | 低 |
| Podman | 注重安全,Linux开发者 | 简易 | 中等 |
| Lima | macOS用户求性能 | 简易 | 中等 |
| containerd | 生产K8s节点 | 手册 | 高 |
Docker桌面之代价
# Docker Desktop pricing (2026):
# - Individuals: Free
# - Small business (<250 employees, <$10M): Free
# - Medium business: $21/month/user
# - Large business: Commercial license required
# Alternatives:
# - Podman: Free
# - Lima: Free
# - Rancher Desktop: Free (macOS/Windows)
# - OrbStack: Free (macOS, faster than Lima)
要旨
Docker非去也——犹为兼容详尽之选也。然二零二六,君实有择焉:
- macOS用户:先试OrbStack或Lima,而后Docker桌面
- 谨守安全之众:Podman今已可投用矣
- 运 Kubernetes者:尔既用 containerd;可直用之
- 余众:Docker犹可善用
"Docker乃容器"之世已逝。容器即基建,基建当慎择之。
二〇二六年将另择Docker之替代品乎?尔之配置何如?