Containerization has been taking the app development world by storm. In today’s technological landscape, it’s common to hear Docker associated with containers, but there are other options.
Today we’ll explore Podman, a prominent challenger to Docker in the containerization space. So what is Podman, and how does it differ from Docker? Let’s compare Podman vs Docker and find out.
What is Containerization?
Containerization is a technology used to package and run isolated applications with an approach that uses far fewer resources than traditional virtual machines (VMs). Because containers consume fewer resources from the host than VMs, you can run more containers on the same host hardware.
Containers share a similar function to VMs because they allow for applications to be isolated from each other. In the case of both VMs and containers, this isolation improves security and allows you to load a single piece of physical hardware with multiple virtual resources.
How do containers differ from virtual machines? Traditional VMs work by emulating computer hardware and rely on a hypervisor to run the VMs on the host system. Hypervisors are software capable of running, creating, and modifying virtual machines. VMs themselves contain entire virtualized operating systems. It’s somewhat like having an entire computer contained in a single file.
Conversely, containers leverage the runC runtime. They do not attempt to emulate hardware, and they also share the host machine’s kernel. Relying on the host’s kernel ultimately means that containers can be much smaller than their VM counterparts.
Containers are bundled with only the libraries and binaries they need to run your application instead of entire operating systems. They rely on the host kernel for everything else. Sharing the host’s kernel has several advantages. It allows them to boot faster and also consume fewer resources from the host machine compared to VMs. After all, containers aren’t an entire operating system.
Another key difference is that containers are intended to only run a single service. VMs most often run multiple services. As a general rule of thumb, if your containerized application requires two services to run, (commonly a web server and database server,) you would run that as two containers which are then networked together. This stands in stark contrast to VMs, where a single VM most often runs multiple services, (or even a complete LAMP stack!)
What is Docker?
Docker is an open platform for developing, shipping, and running applications. Let’s unpack that statement. By open, Docker means that the software is open source. Anybody can check out the source code and review it for themselves. Docker allows users to build new container images, push those images to Docker Hub, and also download those images from the Docker Hub. Docker Hub acts as a container image library, and it hosts container images that users build.
What is Podman?
Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System. Similar to Docker, Podman is an open source project. Anybody can check out the source code for the program. Contrary to Docker, Podman does not require a daemon process to launch and manage containers. This is an important difference between the two projects.
Podman seeks to improve on some of Docker’s drawbacks. For one, Podman does not require a daemon running as root. In fact, Podman containers run with the same permissions as the user who launched them. This addresses a significant security concern, although you can still run containers with root permissions if you really want to.
Podman seeks to be a drop-in replacement for Docker as far as the CLI is concerned. The developers boast that most users can simply use alias docker=podman and continue running the same familiar commands. The container image format is also fully compatible between Docker and Podman, so existing containers built on Dockerfiles will work with Podman.
Another key difference is that, unlike Docker, Podman is not able to build container images (the tool Buildah is instead used for this). This shows that Podman is not built to be monolithic.
It handles running containers (among some other things) but not building them. The goal here is to have a set of container standards that any application can be developed to support, rather than relying on a single monolithic application such as Docker to perform all duties.
Podman vs Docker: Summary
Here is a brief comparison of the points we discussed above.
|Runs on a daemon||✅||🚫|
|Can run containers run as root||✅||✅|
|Can run containers as non-root users||🚫||✅|
|Can build container images||✅||🚫|
- Containers run as the user who started them.
- Command line interface is a drop-in replacement for Docker CLI.
- Some consider Podman more secure as containers can run without root permissions, although you can still run containers with root permissions if you want.
- Can not build container images. It relies on additional tools such as Buildah for creating images.
- It does not support docker swarm. Only recently added support for docker-compose.
- Users interact with the CLI, which communicates to the Docker daemon
- The daemon has root privileges
- Containers run as the root user
- Non-root users must be added to the docker group to use docker
- The daemon is a single point of failure
- Monolithic application. It handles the entire container life cycle with no additional tools required.
- It supports docker swarm, docker-compose, and other tools.
- Enterprise paid support subscriptions available directly from Docker.
Pros and Cons of Podman vs Docker
Podman’s primary benefit is that it can run both root and rootless containers. It does not utilize a daemon as a single point of failure. Some perceive running rootless containers to be a benefit to system security vs their root container counterparts.
Podman is not able to build container images. You’ll need other programs such as Buildah to build container images. This was an intentional design choice from the Podman team, as they did not design Podman to be a monolithic application. Podman also does not support docker-swarm.
Docker popularized containers and rapidly became the industry standard. Docker offers optional paid support subscriptions, in case you require premium support for your application. Docker supports docker-swarm.
Docker is surely popularizing containers, but it has some drawbacks. For one, it is a monolithic system. It was designed to be the only application you needed to build and run containers from start to finish. This made it powerful but very difficult for other tools to interact with it.
Secondly, much of Docker’s functionality is provided by the so-called Docker daemon. The daemon runs with root permissions and also launches containers that carry root permissions. Likewise, system users who wish to interact with Docker must be added to the docker group in order to use the Docker command line interface (Docker CLI). This can potentially be a security concern.
Relying on the Docker daemon also creates a single point of failure. If the daemon is unavailable, container functionality will be impacted. Podman was created to address all of these issues.
Which to Choose: Podman vs Docker
So how does one make a decision about which container technology to use? There is no simple answer here. Docker used to have an edge when interacting with additional tools such as docker-compose and docker swarm.
Initially, neither of these tools supported Podman, but the landscape is rapidly changing. As of Podman 3.0, Podman now supports docker-compose. The Podman documentation states that docker swarm is out of scope for the project. If this tool is essential to your workflow, you may want to consider sticking with Docker.
Finally, it is possible to purchase official paid subscriptions for Docker support. Clearly, in these cases, you would not be using Podman, but it’s worth pointing out if you require premium support for your application.
Which platform will you be using for your next containerized application? Will you replace Docker with Podman?
Whether you choose Docker vs Podman, Liquid Web offers powerful dedicated infrastructure to host it on. In addition, our fully-managed support services take the headache out of system administration. So, if you are not already a customer, give our Sales team at Liquid Web a call and see what we can do for you!
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.