Podman, a secure alternative for Docker.

  • Podman (POD MANager) is a container engine, developed by Red Hat which is designed to be a replacement for Docker. It is now the default container engine used by Red Hat Enterprise Linux (RHEL).
  • Podman was also a lot in the news as an alternate for Docker when Docker announced change in its subscription plan. If your business has 250 or more employees or higher than $10 million in revenue, you must use a paid subscription for Docker Desktop.
  • Podman complies with Open Container Initiative (OCI) specification and therefore it can be used as a drop-in replacement for the better-known Docker runtime.
  • Docker is currently the preferred container engine for many organizations but apart from the subscription model change the main reason why you should consider Podman is because it claims to be more secure and reliable than Docker because of its design.
  • Docker has a client-server-based design and needs a daemon job whereas Podman excludes the daemon dependency or the need for a background job to be running all the time.
  • To understand this let us see how docker works
  • Docker requires a daemon or background process to run all the time to serve all the commands issued by user. The Daemon fetches and stores images to registry, adds layers to containers , manages the containers in the local host repository and interacts with kernel to run a container with the right namespace , cgroup etc.
  • Therefore the docker daemon process is a very essential piece of this design and this is what is of concern also, because termination of this can lead to termination of the child processes and this is the single point of failure in this design.
  • Secondly all Docker operations has to be conducted by a user (or users) with root authority.
  • Podman on the other hand has a daemonless architecture and allows you to run the containers under the user that is starting the container (fork/exec), and this user does not need any root privileges.
  • Podman directly interacts with the image registry, with the container and image storage, and with the Linux kernel through the runC container runtime process (not a daemon).
  • Because Podman has a daemonless architecture, each user running Podman can only see and modify their own containers. There is no common daemon that the CLI tool communicates with.
  • Since Podman does not have a daemon, it needs a way to support running containers in the background. It therefore provides an integration with systemd, which allows containers to be controlled via systemd units. 
  • With Podman, containers are executed under the user’s privileges and not under the daemon.
  • Rootless containers have a huge advantage over rootful containers since they do not run under the root account. If an attacker is able to capture and escape a container, this attacker is still a normal user on the host. 
  • Containers that are started by a user cannot have more privileges or capabilities than the user itself. This adds a natural layer of protection
  • In the initial releases of Podman there was no support for orchestrating multiple containers , similar to what docker compose does and this was a deal breaker but Podman 3.0 now supports Docker Compose to orchestrate containers.
  • Podman provides some extra features that help developers and operators in Kubernetes environments. These commands are not available in Docker
  • Podman doesn’t build images itself but instead delegates the process to another related OCI-compliant tool called Buildah. Buildah specializes in building OCI images, which Podman can then run
  • Podman runs natively on Linux but not on macOS or Windows. Just like with Docker, you can still use Podman on those unsupported platforms, but it will depend on a Linux VM running in the background.
  • Podman and Docker commands are almost same. You can simply replace docker with podman in most docker commands. For example, the docker run command becomes podman run and docker build becomes podman build and so on.
  • You can even create a docker alias for podman like below:
    • $ alias docker=podman
  • Therefore transitioning from Docker to Podman is easy.

Podman is a very promising technology in the containerization landscape. It is still new but Kubernetes deprecation of docker and Redhat taking their chances in the world of containers, by acquiring CoreOS for Openshift platform, developing Podman and making it default container engine in RedHat 8 and CentOS 8 will probably accelerate its adoption in the coming days.

Thank you , Please do share your feedback and comments.

2 thoughts on “Podman, a secure alternative for Docker.

Leave a Reply