Skip Docker, Use Podman

Podman is a tool for building and running containers much like Docker — but the two systems were built with different view on how containers should work. Docker wasn’t the first container engine but these days it pretty much defines how container-based development and containers work. While Docker is a widely-used and well-known container engine, Podman has been gaining traction due to its lightweight architecture, ease of use, and enhanced security features.

So why consider Podman??? Overhead, simplicity and security

Overhead… Podman is similar to Docker, but architecturally simpler and much easier to use. Where Docker was designed to use continuously running background daemon to create and manage images and run containers, Podman uses separate parent processes for every container — each starts, runs and ends independently — meaning that when there are no containers running there are no wasted resources. Podman offers less overhead, minimalist networking and a much smaller attack surface than Docker. Podman launches and manages containers for you and saves time and hassle by not having to set up the a more complicated Docker environment.

Simplicity… Podman has a Docker compatible CLI Its command line interface allows you to build and manage Docker compatible containers. The goal is to make containerization as easy as possible with much less overhead and complexity. If you are planning to run a manage many various containers fairly constantly then Docker may be for you, but if you only want to run a single or couple containers or you only want to quickly start and run a single container you really should really be using Podman. With Docker you need to install and run a number of system daemons (system servers) that will run and manage the Docker images. These daemons run and use system resources even if no containers are running. With Podman there are no long running daemons, Podman only runs while the container is running. This makes it really simple to start a new process from a container/image… they can be easily started with very little overhead using systemd, shell script, a cronjob or from the shell. And they are just as easily stopped.

The Podman CLI is completely compatible with the Docker CLI. In most all cases, just replace the name “docker” with “podman” — for example if you wanted to list all of the available images using the Docker CLI you would type: docker images… to do the same with Podman you would type podman images. If you wanted to see all of the running containers using docker you might type: docker ps -a and with Podman you would type: podman ps -a

Security… Docker, as mentioned above uses a daemon and that daemon runs as ROOT! This is a potential attack point. Docker can be run securely, but it requires some extra effort. With Podman you can root containers as ROOT, if you need to, but you can also run what is known as Rootless containers, so the container only has the privileges of the user that is running it.

For simple containerization you will likely find that podman provides less overhead, meaning you can run more processes on your system and that the containers might run a bit faster. If you want even more of an improvement consider using ArchLinux.

How to install Podman

Only some linux distribution there is a podman package available. However you install a package, whether with atp, yay, yum, … try to install “podman”. If that doesn’t work here are the steps necessary for a Debian system:

  1. source /etc/os-release
  2. sudo sh -c “echo ‘deb${VERSION_ID}/ /’ > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list”
  3. wget -nv${VERSION_ID}/Release.key -O- | sudo apt-key add –
  4. sudo apt-get update -qq
  5. sudo apt-get -qq — yes install podman

Once the installation completes try the following commands:
podman –version

podman info

If there are no errors from these commands, then you are all set to go.

Working with Podman

Let’s see how we use Podman… If you are familiar with Docker, you can probably skip this section…

To search for a image you use the “search” command. For example to find images for “hello-world” you would use the command:
podman search hello-world

From this you should get a fairly lengthy list of images.

To pull [ie. get] an image of hello-world and to show that Podman is compatible with Docker try the command:
podman pull

and then
podman run hello-world

Just like with Docker to list containers use the command:
podman container ls -a

To list “pulled” images use the command:
podman image ls or podman images

To remove a container:
podman container rm <the container name>

To remove an image:
podman image rm <image name>

Why use Podman

I have found that using Podman for simple containerization (for security or ease of deployment) is straight forward, easy to understand and very easy to get started. If you are doing complex process and container orchestration (especially with Kubernetes) then you probably should consider installing and use Docker.

As mentioned above, for shorter lived container execution or for running a single or couple longer lived containers, I think that you will be very pleased with Podman (your mileage may vary).