Introduction
Whenever you hear the term container
in technology, Docker is always the first thing that comes to mind. However, after a decade of reign, new alternatives are emerging. One of those is Podman
.
I know you’re all excited to hear about Podman, but to understand why such a new alternative tooling exists, we need to know what Docker is and what it does.
Docker
is a pioneer in Linux container technology. In 2013 they started the development of a containerised application model, which changed the landscape of software development and delivery ever since.
Why was Docker created?
Docker, an open-source containerization technology, enables developers to package their applications and dependencies into standardized, lightweight containers, effectively solving the problem of software dependencies and streamlining application development. These containers can be readily deployed and run on any Docker-enabled systems, regardless of the underlying operating system or hardware. Additionally, Docker offers isolation and scalability features that simplify the management and scaling of distributed applications.
What is Docker?
Docker is both the name of a technology and the name of a company that was founded in 2010. When we talk about technology, it is composed of these core components.
Docker Engine or docker daemon
which is a background process that runs on the host machine and manages the lifecycle of Docker containers. Aside from providing the API and command-line interface or CLI, it also sets up the networking for containers, manages the storage of data in the host system and it provides security features that isolate the containers from each other and from the host system.- Another critical component of Docker is the
Docker container runtime
which is the software that actually runs the docker container themselves. - Docker also incorporated the two above,
Docker CLI
and other tools inDocker Desktop
which is an application that provides a user-friendly GUI for building, testing and deploying docker container applications on a local machine.
Is Docker the only tooling in this containerisation field?
Docker technology is still the leading player in containerisation land, but slowly the competitions are catching up. For some people, containers and images are synonymous with Docker but these technologies are not exclusive to Docker. There are projects that follow The Open Container Initiative or OCI and create alternative tools that challenge Docker as the de facto in application containerisation space.
In this blog I am going to focus on Podman as an alternative tool to Docker and Docker desktop, and discuss their differences and similarities.
Podman
Podman (or the POD manager)
is an open-source and OCI-compatible containerisation tool that claims to be more secure, flexible and lighter. RedHat released Podman in 2018 as a Docker alternative, which quickly gained popularity among developers and DevOps engineers due to its lightweight nature and robust security features. It comes with Podman CLI and Podman Desktop which has all the things you need to develop and run containers in any platform.
Running a container
These are the example commands of running a container with the image localhost/my-node-app using Docker and Podman.
# Using Docker |
# Using Podman |
Architecture
Podman has a daemonless architecture
, which is designed to run without a central daemon process. This is unlike Docker, which uses dockerd
daemon where all processes are part of a larger daemon process.
Under the hood, Podman runs containers on individual child processes to manage the container’s system resources. This improves the security because each container is isolated so a compromised container won’t propagate the attack to other processes or in the host machine.
In addition, Podman also uses a client-server architecture in which the Podman client interacts directly with the container runtimes runc
or conmon
. As a result, Podman containers don’t require a background process to run continuously or to use up system resources; instead, they can be started and stopped whenever necessary.
Security
Rootless
. Podman is the first tool to adopt a rootless mode in containers and became its fundamental feature. This allows non-root users to run containers without elevated privilege. In terms of security, Podman follows the least privilege principle, which advocates granting specific permissions to applications rather than full access.
In a compromised Docker container, the attacker can elevate its privilege and can target the host system. If a Podman container is compromised, it can still deal damage to the system but it is limited to the capabilities of a non-root user.
In the previous versions of Docker, it allows root privileges to run containers which can create security risks and operational issues. But Docker started to experiment with the rootless mode feature in Docker engine version 19.03, it was stabilised in December 2020 and now part of the Docker toolset since version 20.10.
Building images
Podman is specialised in running containers, but with the help of another open-source tool called Buildah, it can also build images within the Podman CLI. Buildah is also OCI-compatible, so any of your Dockerfile can be built to a container image right away without changing any codes.
The Docker ecosystem already comes with the ability to build container images in Docker CLI and you don’t have to worry about installing another dependency for this purpose.
# Using Docker |
# Using Podman |
Orchestration
Within the Docker ecosystem, Docker Swarm and Docker Compose serve as tools for container orchestration. Docker’s tooling is obviously more mature and has been the go-to solution for a lot of people. On the other hand, The Podman community developed Podman Compose, a lightweight tool focused on running Podman commands directly, offering essential orchestration capabilities. Furthermore, you can generate Podman codes to make it runnable in Kubernetes if that’s your orchestration tool of choice.
The Podman-compose team provided an example of a simple two-tier application using docker-compose.yaml. It creates two containers or services, one is a Redis database and the other is a web application with python as a back-end. It’s a simple application that counts every page visit, it records and retrieve the data in Redis.
# Using docker-compose |
# Using podman-compose |
Desktop Application
Docker developed Docker Desktop which is a user-friendly GUI (Graphical User Interface) to help developers manage containers, applications, and images directly on their local machines, it can be used side by side with the Docker CLI. In August 2021, Docker implemented a paid licensing model in their product. In a nutshell, smaller companies can still enjoy using Docker Desktop without paying for a subscription but larger companies need to pay and they will get added features and support. You can learn more about the pricing model on their FAQ page.
In October 2022, at KubeCon North America 2022, the Podman community announced Podman Desktop. Podman Desktop is an open-source graphical tool enabling you to seamlessly work with containers and Kubernetes from your local environment. It is available in Windows, MacOS and Linux. This tool directly competes with Docker desktop and it even has documentation to migrate from Docker.
Podman Desktop also has a Docker compatibility mode that allows Podman to be used as a drop-in replacement for Docker. It uses the Docker socket helper included with Podman to manage the local configuration of the Podman path to the Docker socket.
Monolithic vs Modular
Docker offers an all-in-one OCI-compatible ecosystem that includes all the things you need in software development and delivery. This will save you a lot of time from trying and deciding different tooling in the container development workflow.
In contrast, Podman is just a small unit in the open-source container ecosystem; it requires third-party specialised tools to have a complete ecosystem. As we have learned so far, the community has built its orchestration and desktop application, you can even switch the orchestration to Kubernetes or Nomad or you can fully use Buildah to build images. Having a modular tooling lets you have the freedom to explore different technologies and choose the best for you.
Podman in the Cloud
AWS EC2
Podman runs on major Operating Systems and you can definitely run it on the popular Amazon Linux on EC2, Ubuntu, RedHat and more. This AWS blog explains how to configure and mount an Amazon EFS file system to a Podman container, enabling the container to access shared file storage. The article also provides step-by-step instructions and examples to help users implement this integration successfully.
For anyone who’s using containers and RedHat in AWS, Podman is well integrated with the RedHat ecosystem. As a matter of fact they have a dedicated documentation on how to build, run and manage containers using the Podman toolset.
AWS ECS
If your workload is small and simple enough then this solution can be right for you. However, you cannot use Podman in AWS ECS which is a managed AWS service. As of writing, ECS still relies on Docker technology to manage containers. On the other hand, Podman can still work with AWS EKS but it’s not a straightforward task.
RedHat OpenShift Service on AWS
Podman also works well with RedHat Openshift, which is a managed service on premise or in AWS. RedHat OpenShift Service on AWS or ROSA offers a managed Red Hat OpenShift service that runs natively on Amazon Web Services (AWS), enabling businesses to build, deploy, and scale applications more quickly while also refocusing on innovation.
Kubernetes
As the name suggests, Podman might remind you of Kubernetes pods. Well, Podman runs and manages containers that are similar to Kubernetes. Podman pod is a group of one or more containers that are deployed together on the same hosts and share the same network namespace.
If you have a Kubernetes workloads in the cloud, you might want to know that the Kubernetes team has moved away from Docker as the default container runtime since v1.24 in favour of Open Container Initiative (OCI) compatible image specification and Podman is compliant with it. According to the Kubernetes press release:
If you’re using a managed Kubernetes service like Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS) or Google Kubernetes Engine (GKE), you will need to make sure your worker nodes are using a supported container runtime before Docker support is removed in a future version of Kubernetes.
- Don’t Panic: Kubernetes and Docker
Other notable players in the OCI space
Minikube – is a local Kubernetes solution, focusing on making it easy to learn and develop for Kubernetes. It can run on Windows, MacOS and Linux.
LXD – a next generation system container and virtual machine manager in Linux distributions. It offers a unified user experience around full Linux systems running inside containers or virtual machines.
Rancher Desktop – An open-source desktop application for Mac, Windows and Linux. Rancher Desktop runs Kubernetes and container management on your desktop.
Final Thoughts
For individuals who are keen to explore, teams that are starting out on a new project, or businesses that are required to leave the Docker ecosystem, Podman can be a good fit and a great alternative to operate OCI-compatible containers and images. However, moving away from Docker can be a complex and challenging process.
Migrating to a new solution is not just all the bells and whistles. Whether it offers better security or it’s cost effective, it is still best to take a backseat, talk to the stakeholders, technical and business people and discuss some of the following considerations:
Learning curve
– A new tool brings with it new unknowns. You must understand your team’s skills and how quickly they can comfortably adjust to this new tool, as well as the risks and impact on your team’s development and delivery.Compatibility
– There are alternate toolings that are drop-in replacement to Docker while there are some that may need configurations to work properly You must extensively verify the Docker alternative’s compliance with your present development workflow and production workloads. During the changeover, a hybrid configuration is also a possibility.Support
– When you use free and open source (FOSS) software, you are enjoying it for free, but you must ensure that the community of that tool is mature and that you are receiving adequate assistance.Security
– Although Podman claims to be the more secure container technology, Docker may not be far behind. If you are needed by a compliance agency to improve your security in a way that Docker cannot, then an alternative option may be appropriate for you.Integration
– You must have built up your development and CI/CD with Docker; if you’re switching to another solution, you’ll need to spend a significant amount of time rewriting your code to work with your current CI/CD, as well as additional time testing the new solution from development through delivery.Cost Savings
– Large businesses can utilise Podman to save licensing fees instead of purchasing Docker subscription. It goes without saying that there are more considerations when switching to a new tooling, thus the decision to forego utilising Docker must be thoroughly considered.