My thoughts on Podman
Podman is one of the newest kids on the blog when it comes to container runtimes. Developed by RedHat, it aims to provide a container runtime that does not need a “big fat daemon” for it to run, thus improving security and performance of the system. I have turned Podman into my daily driver for development and I have some thoughts to share about it.
Podman vs Docker
There are many contributing factors to Podman’s creation and one can say that there was certainly a need for such a runtime. This section will examine some of them so that you can get an idea what all the fuss is about.
Finances
One day, the big brains in RedHat (presumably) thought “Hey, Docker Inc. is not doing so well right now. We should not leave one of our biggest products (OpenShift) relying on their products”.
This was not far from the truth, as Docker Inc. is really bad with finances. This was one of the reasons why Podman was born.
Security and design
Docker is cool and all but it has a terrible security model: one giant service (server) is needed to run all containers (clients), some potentialy filled with security holes, others running as root, all sharing the same socket and practically having root rights on the system underneath (Docker became rootles some time ago, but it is still experimental). This makes the attack surface of the system incredibly large.
Podman on the other hand is designed to be run in the fork/exec model and each container runs as an offspring of the Podman process. This makes all operations auditable and generally more secure. When running Podman as a normal user, Podman creates a namespace unique for the user, so that there are no shared resources between the different containers, unless otherwise specified. Podman is also designed to manage pods, which makes the transfer to Kubernetes easier.
The two pictures below show the differences between the architecture of both runtimes:
Podman clearly is the winner of this section.
Ease of use
Both runtimes are equally easy to use in my opinion. Podman accepts the exact same arguments and parameters as Docker. So much so
that I have created an alias for the docker
command that points to Podman in case I copy and paste some command from an online source.
Normally, I use only Linux as a development machine, but i also have a Surface Pro which I carry around and it would be amazing to use containers on it. There are two problems though:
- Docker Desktop requires a VM to run and my Surface Pro runs Windows Home, so no Hyper-V
- because of said VM, Docker Desktop requires a lot of resources, which my Intel Core M, 4GB RAM Surface Pro cannot provide
These problems can be fixed with WSL2. For those in the dark, Microsoft will add a fully functional Linux Kernel into Windows with the 2004 update. This will make it possible to run Podman on Windows (Podman is currently Linux only) and because of its architecture, no additional application like Docker Desktop or VMs will be needed. RedHat have already tried this and it sort of works, but I am really excited to try it myself.
If you are a developer and use Docker, there is a high probability that you also use Docker Compose. While there is an alternative tool for Podman, Docker Compose is much more stable.
In my opinion, both tools are equally user-friendly, so this one is a tie.
Community and Kubernetes support
This is where the big difference comes. Because it is relatively new, Podman still has a small community behind it. Well, not so small, but it is small in comparison with Docker.
Kubernetes and Docker go hand in hand, there is no doubt about it. Podman is CRI-O-compatible so it should technically be supported not only by RedHat’s OpenShift platform, but also vanilla k8s. A major player that supports only Docker and containerd is Rancher.
Docker wins both points in this section.
Which one do I use?
I wrote a long article about both runtimes and you may be wondering which one I use. The answer is: both.
I use Podman on my developer machines. It is easier for me that way, even though I sometimes encounter some problems (I don’t mind it, though. This is the best way to learn something in my opinion) I have so far enjoyed the ride and have not considered once turning back to Docker.
I use Docker for my Kubernetes cluster because it is k3s, which is containerd-only.
Conclusion
I really like Podman because of the security, segregation and performance improvements it brings. It still has to grow, though, and I will gladly use it on all my systems when that becomes possible.
All images are courtesy of RedHat.