Introduction to Podman: An alternative to Docker?

In this article we will have a look at a containerization and management tool called Podman. We will compare it with Docker, which is the most popular tool for containerization.

What is containerization?

Containerization is the process of packaging the everything the application needs including its code and dependencies into a container. A container separates the software from the operating system, so we don’t have to install all the dependencies on our operating system. It has its own virtual environment which provides an insulated space compatible with any environment.

This helped developers to provide faster deployment of there application because there were no dependency issues or bugs. Containers worked uniformly across development and deployment phases.

What is Docker?

Docker is the standard and the oldest container management technology. It has so much impact on the industry that whenever we think of containers, we think of Docker. That is why whenever a new containerization tool pops up, it is compared with Docker. For more details on Docker refer to this article.

When Docker first started out, there were no alternatives for specific tasks related to containers like load balancing ,networking etc. So it had to grow as a self-sufficient tool capable of managing all of those tasks itself.

But this self-sufficiency had it shortcomings. When other tools for specific tasks started to pop up they had difficulty interacting with Docker. Podman was developed to solve this issue.

What is Podman?

Podman is an open-source, linux-native tool for container management. It is designed to make it easy to find, run, build, share and deploy applications according to Open Containers Initiative (OCI) standards.

Podman provides a command line interface (CLI) familiar to anyone who has used the Docker Container Engine. It is a set of command line tools which are designed to handle different tasks for containerization:

Podman — pods and container image manger

Buildah — a container builder

Skopeo — a container image inspection manager

runc — container runner and feature builder to podman and buildah

crun — optional runtime that allows greater flexibility, control, and security for rootless containers

The name “Podman” means that it can create container “Pods” which work together. Pods can group separate containers together so we can manage them as a single unit. How is that useful? We can share resources, using different containers for the same application inside a pod: a container for the frontend, another for the backend, and a database.

This concept of “pods” is similar to Kubernetes pods. Therefore Kubernetes can use Podman. Pod definitions can be exported to a Kubernetes-compatible YAML file and be applied to a Kubernetes cluster. This allows containers to advance faster into production.

Why should someone use Podman? Podman is unique tool which can work independently or side by side with Docker as well. Since it uses a Docker compatible command line interface and can work with OCI-compatible container engine. This makes it easier to switch to Podman when Docker is already installed.

Comparison of Podman and Docker:

Although both Podman and Docker are great tools for container management. They have some differences which makes either one preferable in certain situations.

i) Self-sustaining vs modular:

Docker was built in a way to make it a self-sustaining by having everything the user needs in a single place (Monolithic architecture). Whereas Podman is modular, as it uses different specialized tools for specific tasks.

ii) Architectural differences:

Another major difference between Docker and Podman is that Docker uses a daemon to create images and run containers. Daemon is program that runs in the background which handles processes and services. Podman has a daemon-less architecture. It launches pods and containers as child processes. Without a daemon, Podman needs another tool to manage services and containers running in the background. For this purpose, Podman can be integrated with systemd for creating control units for containers.

iii) Root Privileges:

Docker requires root privileges to communicate with the daemon because daemon runs as the root user. Since Podman doesn’t require a daemon, it doesn’t need root privileges. Docker recently added support for rootless mode but it requires users to install additional packages and storage drivers.

iv) Security:

Since Podman doesn’t require root privileges for containers, it is safer to use. Rootless containers are considered safer than containers with root privileges. Containers with root privileges as in Docker, are a preferred gateway for attackers. Furthermore, Podman’s fork-exec architecture makes it even more secure. It enables the system to record the user modifying the system files, while the client-server approach used by Docker does not. That is why Podman has much more strict audit logging.

v) Building images:

Docker has support for building images because of it’s all-in-one architecture. It uses the docker build command to build container images from a dockerfile. Podman has a similar command to Docker, using podman build command it can build images. Podman uses Buildah for building images which is an open-source tool.

vi) Docker Swarm:

A Docker Swarm is a group of containers that have been configured to join together in a cluster. Initially Podman didn’t support Docker Swarm, but users can use tools such as Nomad to simulate this. This is another advantage of Podman’s modular architecture.

vii) Docker Compose:

Docker uses Docker Compose for automating multiple containers initiation and management. Podman has added support for Docker Compose as well. However, previous version of Podman didn’t have support for Docker Compose. It used something called Podman Compose which was a less user-friendly alternative. The latest version of Podman now uses a podman.socket which is used to simulate Docker’s daemon.

viii) Command line similarities:

All of Docker’s commands are simple and intuitive. Command like docker pull and docker run do exactly what we expect. Podman was built to easily replace Docker, so most of it’s commands are the same by just replacing ‘docker’ with ‘podman’ like podman pull and podman run .

Can it be a replacement for Docker?

Well that depends on the specific requirements or preference of the developers. Both are powerful tools and have unique features.

Generally developers prefer Docker when they need a well documented tool. Since Docker is a very popular tool, it’s documentations are easily available and solutions to any problems can easily be found on the internet. Docker also has built in support of container orchestration while Podman relies on other tools which are not as simple and feature-rich as Docker’s.

Podman could be preferable if an organization has more emphasize on security because it’s architecture is naturally more secure than Docker’s. Also, since Podman uses the pod concept, it makes it easier to transition to Kubernetes in the future.

Working together:

A lot of developers have been using both these technologies together because they are both OCI-compliant. By combining added robustness form Docker and additional security provided by Podman, developers can benefit across every stage of software development lifecycle.

If you want to get started with Podman, here is the link for Linux machines.