Podman vs Docker in 2024: What's Really Different?

17.28k views1284 WordsCopy TextShare
Better Stack
Docker isn't the only way to run containers anymore. Podman offers a secure, daemonless alternative ...
Video Transcript:
most developers choose Docker by default it's synonymous with containers now but there's a secret that you should know about it's not the only way you can run containers podman can do it too so the question is what's the difference and which one do you want to use well let me introduce podman first it was developed by red hat and it's a set of container tools with support of the open container initiative which is actually something that Docker started in 2015 this just means that it's a near dropping experience for Docker and it works on pretty
much any system as well when you get it set up you'll see all of the things that you're used to it has a CLI where most commands are onet to one with Docker in terms of syntax and functionality and you can get a desktop app if you prefer called pod man desktop and as expected you get the familiar containers images volumes and even composed support as well so what's the difference then well let's talk about the name first pod man or more specifically the Pod part of it most developers associate pods with kubernetes and wouldn't
even think about using them for local development for a quick summary of what pods are they're a way of grouping containers together inside their own name Network and security context so imagine you have a WordPress site for example you're going to need a web server so something like ninx PHP to run that WordPress and then MySQL for the database so instead of managing these as separate containers you group them in a pod and this just ensures that they share the same network they start and stop together and they can be managed as one single unit
in podman they are native and you don't need a full kubernetes setup but this pod Support also makes it awesome for working with kubernetes unlike Docker which requires a separate kubernetes run time podman can interact directly with kuber clusters this just makes deployment and management super easy for example you can actually go ahead and Export your pod definitions to a kubernetes compatible yaml file the next key and arguably most fundamental difference is in that architecture doer uses what we would call a client server model so it utilizes a demon to manage all Container related operations
it then communicates through a socket for things like building running and managing networks it's the central point of control for all containers this de runs with root privileges which poses a potential security risk now this can be changed and hardened but the default is often used and it's a bit complex to change it the worst case scenario for this then is that if it's compromised the attacker has instant access to your entire system as a malicious container could control the host in comparison podman is demoness and rootless it uses a fork execute model and that
means that when you start a container with podman the podman process Forks itself and the child process becomes the container this means there is no persistent background process managing the containers podman also interacts directly with container runtimes to go ahead and execute those containers this eliminates the need for a demon for things like life cycle management so starting up your containers with the server podman integrates with things like system D which just offers a nice and familiar way to control them one great benefit of all of this then is that podman emphasizes security and it
runs its containers in rootless mode by default this limits their access to the host system and reduces the potential impact of security vulnerabilities this also enables better auditing as well as malicious activities can be traced back to a specific user using the podman tools for podman even if a user inside the container is the root user once they get outside of that container they have as much access as a nonroot user limiting your potential security impact the last difference I want to discuss then is an important one and it's something that's not really P man's
fault it's the fact that Docker has a thriving ecosystem it has things like third party tools and a wealth resources online Docker is just a more mature product but podman is constantly growing but for example the number of pre-built images readily available for podman is currently less compared to something like Docker Hub so you might find that you have to build your own images a bit more frequently but similar to Docker official repositories do exist for specific distributions that offer up podman compatible images you can see this tooling difference in podman desktop versus Docker desktop
however podman does allow developers to actually add their own extensions and supposedly some of the extensions that work with Docker can also be added to p man desktop and they'll work there too so let's summarize then what you may want to pick but I do recommend you go out there and try them both that's super easy to set up as discussed the choice between Docker and podman hinges on your priorities for security kubernetes integration performance and ecosystem support here's a Rough Guide though choose podman when security is Paramount the demoness and rootless architecture makes it
inherently more secure than Docker out of the box choose podman when you work extensively with kubernetes the Pod implementation can streamline that transition from local development to kubernetes deployment choose pod man when you need a lightweight container engine that demon lless design can result in a smaller footprint and faster container startup times compared to Docker and lastly choose pod man if you prefer that tighter integration with system D so you can go ahead and use familiar system D commands for starting stopping and monitoring on the other side then choose Docker when you value a mature
ecosystem Docker has a lot of third party tools a broader range of features and integration for various development and deployment workflows there's also tons of documentation and content out there on using it so it may be more beginner friendly but you may also find more blogs and examples of advanced use cases as well choose Docker when you need Docker swarm for orchestration podman does not natively support Docker swarm so you need to use something like compose pods or kubernetes to try to get something similar so if swarm matters to you you won't be able to
switch over to podman lastly it can't be understated that if your development team is well versed in docker already and has established workflows based on Docker tools switching to podman might require additional training and time especially if you bring in someone new as the chances are they know Docker but not podman so you really need to weigh the costs and benefits but why not consider both of them you can actually use both Docker and podman on the same system podman desktop can even manage containers running in Docker desktop this hybrid approach allows you to experiment
with podman while you retain that familiarity and ecosystem benefit of Docker The Ideal tool is ultimately going to depend on your priorities and the specific context of your project hey if you do pick Docker and you use a Mac go ahead and check out this video we did on orback it's an awesome tool for managing your Docker containers while you're there go ahead and subscribe leave any comments if you have any questions and I'll see you in the next one
Copyright © 2024. Made with ♥ in London by YTScribe.com