So Podman is an open source container engine like Dockerāwith "full"1 Docker compatibility. IMO Podmanās main benefit over Docker is security. But how is it more secure? Keep readingā¦
Docker traditionally runs a daemon as the root user, and you need to mount that daemonās socket into various containers for them to work as intended (See: Traefik, Portainer, etc.) But if someone compromises such a container and therefore gains access to the Docker socket, itās game over for your host. That Docker socket is the keys to the root kingdom, so to speak.
Podman doesnāt have a daemon by default, although you can run a very minimal one for Docker compatibility. And perhaps more importantly, Podman can run entirely as a non-root user.2 Non-root means if someone compromises a container and somehow manages to break out of it, they donāt get the keys to the kingdom. They only get access to your non-privileged Unix user. So like the keys to a little room that only contains the thing they already compromised.2.5 Pretty neat.
Okay, now for the annoying parts of Podman. In order to achieve this rootless, daemonless nirvana, you have to give up the convenience of Unix users in your containers being the same as the users on the host. (Or at least the same UIDs.) Thatās because Podman typically3 runs as a non-root user, and most containers expect to either run as root or some other specific user.
The "solution"4 is user re-mapping. Meaning that you can configure your non-root user that Podman is running as to map into the container as the root user! Or as UID 1234. Or really any mapping you can imagine. If that makes your head spin, wait until you actually try to configure it. Itās actually not so bad on containers that expect to run as root. You just map your non-root user to the container UID 0 (root)ā¦ and Bobās your uncle. But it can get more complicated and annoying when you have to do more involved UID and GID mappingsāand then play the resultant permissions whack-a-mole on the host because your volumes are no longer accessed from a container running as host-rootā¦
Still, itās a pretty cool feeling the first time you run a ārootā container in your completely unprivileged Unix user and everything just works. (After spending hours of swearing and Duck-Ducking to get it to that point.) At least, it was pretty cool for me. If itās not when you do it, then Podman may not be for you.
The other big annoying thing about Podman is that because thereās no Big Bad Daemon managing everything, there are certain things you give up. Like containers actually starting on boot. Youād think thatād be a fundamental feature of a container engine in 2023, but youād be wrong. Podman doesnāt do that. Podman adheres to the āUnix philosophy.ā Meaning, briefly, if Podman doesnāt feel like doing something, then it doesnāt. And therefore expects you to use systemd for starting your containers on boot. Which is all good and well in theory, until you realize that means Podman wants you to manage your containers entirely with systemd. Soā¦ running each container with a systemd service, using those services to stop/start/manage your containers, etc.
Which, if you ask me, is totally bananasland. I donāt know about you, but I donāt want to individually manage my containers with systemd. I want to use my good old trusty Docker Compose. The good news is you can use good old trusty Docker Compose with Podman! Just run a compatibility daemon (tiny and minimal and rootlessā¦ donāt you worry) to present a Docker-like socket to Compose and boom everything works. Except your containers still donāt actually start on boot. You still need systemd for that. But if you make systemd run Docker Compose, problem solved!
This isnāt the āPodman Wayā though, and any real Podman user will be happy to tell you that. The Podman Way is either the aforementioned systemd-running-the-show approach or something called Quadlet or even a Kubernetes compatibility feature. Briefly, about those: Quadlet is ājustā a tighter integration between systemd and Podman so that you can declaratively define Podman containers and volumes directly in a sort of systemd service file. (Well, multiple.) Itās like Podman and Docker Compose and systemd and Windows 3.1 INI files all had a bastard love childāand itās about as pretty as it sounds. IMO, youād do well to stick with Docker Compose.
The Kubernetes compatibility feature lets you write Kubernetes-style configuration files and run them with Podman to start/manage your containers. It doesnāt actually use a Kubernetes cluster; it lets you pretend youāre running a big boy cluster because your command has the word ākubeā in it, but in actuality youāre just running your lowly Podman containers instead. It also has the feel of being a dev toy intended for local development rather than actual production use.5 For instance, thereās no way to apply a change in-place without totally stopping and starting a container with two separate commands. What is this, 2003?
Lastly, thereās Podman Compose. Itās a third-party project (not produced by the Podman devs) thatās intended to support Docker Compose configuration files while working more ānativelyā with Podman. My brief experience using it (with all due respect to the devs) is that itās total amateur hour and/or just not ready for prime time. Again, stick with Docker Compose, which works great with Podman.
Anyway, thatās all Iāve got! Use Podman if you want. Donāt use it if you donāt want. Iām not the boss of you. But you said you wanted content on Lemmy, and now youāve got content on Lemmy. This is all your fault!
1 Where āfullā is defined as: Not actually full.
2 Newer versions of Docker also have some rootless capabilities. But theyāve still got that stinky olā daemon.
2.5 Itās maybe not quite this simple in practice, because youāll probably want to run multiple containers under the same Unix account unless youāre really OCD about security and/or have a hatred of the convenience of container networking.
3 You can run Podman as root and have many of the same properties as root Docker, but then whatās the point? One less daemon, I guess?
4 Where āsolutionā is defined as: Something that solves the problem while creating five new ones.
5 Spoiler: Red Hatās whole positioning with Podman is like they see it is as a way for buttoned-up corporate devs to run containers locally for development while their āproductionā is running K8s or whatever. Personally, I donāt care how they position it as long as Podman works well to run my self-hosting shitā¦
had a knowledge sharing meeting at work recently on container security. the guy was using podman like a docker cli, but it said āthis is only an emulation of dockerā - is there any downsides to running podman like this? im very familiar with docker on the command line
I think calling it an emulation downplays podman. Docker and podman are both container runtimes. Docker came first and is known synonymously with containers, whereas podman is newer and attempts to fix dockerās problems.
One outcome of this is podman chose to match dockerās cli very closely so nobody needs to learn a new cli. You can even put podman on the docker socket so ādocker [command]ā runs with podman.
So as far as Iām understanding your description, heās actually using Podman under the hood, just via its Docker compatibility CLI. The main downside of that IMO is you lose out on Podman-specific flags and features. Which, honestly are probably not a huge deal to you if you just want a thing that walks and talks like Docker while hopefully being more secure.
The big caveat though is root vs. non-root. If heās running his commands as root/sudo, itāll work a whole lot like Docker just without a daemon (and without containers starting on boot). But if heās running as a non-root user, wellā¦ See my original post for some downsides.