Podman: The Rootless Docker Alternative
For many developers, Docker was their first exposure to the wonderful world of containers. Containers have changed the way we develop and ship software, and the pace of change isn’t slowing down. As containerization technology matures and becomes more widely adopted, there is a growing desire to bring open standards to the field, and this is where Podman comes in. Podman is a rootless Docker alternative that implements Open Container Initiative (OCI) standards to give developers and companies the benefits of Docker, delivering some promising new features without some of the limitations, like requiring root access.
Why Should You Care about Podman?
If you are familiar with using Docker on the command line, you’re already most of the way to using Podman. Like Docker, Podman is OCI-compliant. The OCI is a self-described “open governance structure for the express purpose of creating open industry standards around container formats and runtimes.” To be compliant means that the two tools are both able to build and run OCI-compliant images. Furthermore, because Podman’s CLI is entirely compatible with Docker’s, it can be treated as a drop-in replacement. Podman themselves even suggest just creating an alias to point calls to docker
straight at podman
.
It’s clear that the two have a lot in common, but where do the differences lie? The greatest and most often touted difference is—as the title suggests—that Podman is rootless or daemon-less. Docker works by having a long-lived daemon that the CLI tool interfaces with to perform operations on your containers and images. Podman, on the other hand, has a different architecture, whereby podman
commands don’t need a connection to a daemon but instead do the equivalent operations in short-lived processes directly.
The second big difference is that, unlike Docker, Podman allows you to create and manage organizational groups of containers known as “pods”. You are likely to be familiar with pods if you’ve spent much time working with Kubernetes; though this is a feature that Docker doesn’t currently have at all.
So even if Podman is a drop-in replacement, why would you want to use it over Docker? Aside from the presence of pods, which will be explored more below, Podman has some compelling benefits. Chief among these are the security improvements. Podman is more secure than Docker in a few ways, but the most obvious one is that users do not need root privileges to run containers with Podman. Although best practices mitigate the risks, it is still possible for malicious software to break out of its container and cause havoc on the host. If this happens, you do not want to be flaunting root privileges where they are not strictly needed, as can often be the case with a poorly configured Docker host. Podman takes a different approach to running containers, which means these Docker security concerns are no longer an issue.