Transitioning from Docker to Podman

It&#x27;s compatible with cgroups v2 unlike the standard Docker. If you&#x27;re using Fedora, you have to add a kernel parameter to Grub to use cgroups v1 instead.<p>RedHat seems to be pushing a standard ecosystem for Linux: systemd, Wayland, SELinux, GNOME, and now maybe podman. I&#x27;ve been on Linux for a while; it&#x27;s a welcome change from all the fragmentation I&#x27;m used to. Whereas others try to work around the kernel and implement their own things in parallel (see: Canonical&#x27;s AppArmor, LXC, OpenZFS), RedHat just goes with what Linux already has like SELinux&#x2F;cgroups v2&#x2F;btrfs, which I think is more likely to last and just feels better. If RedHat goes away, I&#x27;m fine since I&#x27;m ultimately only relying on Linux features. If Canonical goes away, then I&#x27;d have to switch to a different stack. That&#x27;s probably why government, enterprises, Amazon, etc. still prefer RedHat.

At my company, we run our CI&#x2F;CD (Jenkins) using the Docker-in-Docker paradigm to facilitate easy maintainability of the CI itself and allow us to run containerized builds.<p>When we shifted to RHEL 8, we attempted to move this over to Podman and it went miserably (this was back in November 2019). The main reason being is that podman-in-podman doesn&#x27;t work and had bugs (at least back in Nov 2019). Maybe it fixed now but this was our experience. We ended up doing quite a bit of analysis on podman only to conclude it&#x27;s simply <i>not there yet</i> relative to docker (ecosystem and ergonomics).<p>There are quite a few corner cases that docker quite simply supports out of the box beautifully that podman doesn&#x27;t support or just has bugs.<p>I like the what the project is trying to solve by being daemonless, but this is not as simple as a drop in replacement for docker that RedHat markets it as (<i>alias docker=podman</i>).<p>We ended up sticking to docker professionally and personally, I am still using docker over podman. The ecosystem and ergonomics are just far too nice to give up over podman.

I love the idea of Podman being daemonless and (potentially) rootless. Regardless of the presence of security flaws in dockerd, the Podman architecture just feels cleaner.<p>And the CLI compatibility is great. Until it isn&#x27;t. At work we switched to Podman for a small deployment because Docker didn&#x27;t yet work with cgroupsv2 and many hours were spent debugging Podman-specific issues. In the end switching to cgroupsv1 would have been significantly less work.<p>Therefore claiming you can `alias docker=podman` is a bit disingenuous. You can, but only if you don&#x27;t do anything Podman can&#x27;t handle and what it can and cannot handle isn&#x27;t immediately obvious.<p>All that said, I wish the project the best and hope it reaches the maturity where this alias actually does work.

I was just about to complain about another thing to learn. Then I saw you can do &quot;$ alias docker=podman&quot;. Just want to acknowledge the importance of that work. Making things compatible is both boring and a pain, but it&#x27;s a door opener for people like me who refuse to learn your new API because I know a decent one already.

We&#x27;ve tried this (podman 2.0.5) and have hit some really really annoying bugs:<p>- Build layer cache doesn&#x27;t seem to work. If I rebuild locally with podman, it correctly detects cache hits and the build is fast. On our Jenkins server (RHEL 8) with podman 2.0.5 it doesn&#x27;t. It randomly doesn&#x27;t cache hit, causing builds to take 20x longer than with docker CE.<p>- Podman is insanely slow at building images in general. COPY emptyfolder&#x2F; &#x2F;emptyfolder&#x2F; takes 2 seconds. We have dozens of things to COPY and it&#x27;s stupid slow compared to docker CE. Buildah doesn&#x27;t seem any better.<p>- Systemd integration has bugs. If you use the default generated systemd unit file, it does not kill processes when exiting and leaves them dangling. Even after removing the strange KillMode=none it says to put in there, it still leaves processes dangling. Podman sometimes loses track of the container. It will list nothing in &quot;podman ps&quot; but the processes will still be running.

I find the podman integrates with systemd well claims a bit dubious.<p>Last time I checked both podman and CRI-O double fork and have reimplemented process supervision from scratch (through conmon) whilst they could get all those features for free if they didn&#x27;t daemonize themselves and let systemd handle running things in the background.<p>I found this very surprising. I still don&#x27;t understand why they made that choice.<p>At least they do play nice with the whole &quot;systemd owns the Cgroups tree&quot; story. A thing that was always a bit painful with docker.<p>Fun note. Systemd-nspawn actually can run OCI containers directly as well these days. However I&#x27;m not sure if it&#x27;s feature-complete

If you are running podman rootless it will use the fuse-overlayfs driver which comes with various limitations and is much slower than Docker:<p>* you are limited to 1024 FDs for your entire container. So running make -j40 usually ends up with various errors due to running out of file descriptors. You can of course raise the limit for your own user, but this may not be trivial on a shared system.<p>* getting podman to obey a raised user FD limit is non-trivial on CentOS 8. podman is not well supported on CentOS, you need latest Fedora if you want the various bugs&#x2F;limitations fixed.<p>* fuse-overlayfs is a single process for the entire container and quickly becomes the bottleneck for any IO intensive operation (e.g. don&#x27;t try running AFL inside podman, it&#x27;ll be way too slow and peg the CPU at 99% running fuse-overlayfs).<p>Fuse shouldn&#x27;t be necessary though if I could just give it access to the files that my user has access to (of course you&#x27;d loose the snapshotting&#x2F;committing ability), perhaps using -v would improve performance?<p>Using docker on CentOS 7 was a lot easier (and faster) than using podman on CentOS 8.

Hopefully most of you who have had issues with Podman have opened bug reports or issues. We are working to fix incompatibility bugs and getting out new releases all the time.<p>As far as docker-compose support, in Podman 2.0 we have added APIV2. This is a socket activation REST API. This API has a compatibility mode that implements the &quot;Docker API&quot; meaning podman can be setup to listen on the docker.sock and launch containers. We also have the more advanced Podman API for support of concepts like Pods. The API should be able to work with docker-py based scripts and Compose. We are getting lots of community support in fixing up our inconsistencies.<p>This is a fully open source project and we love to get contributions.

I always like to chime in and recommend people check out Singularity[0] containers if they haven&#x27;t before. It&#x27;s more common in academia because you can run containers without privileges which is nice in HPC environments. The containers themselves are simple immutable flat files that can be easily copied around, backed up, etc. There&#x27;s also no system daemon. It&#x27;s nice knowing everything you need for your container system exists in the containers themselves and a single singularity executable. No volumes, remembering to append --rm to avoid dangling containers, wondering where the actual images are stored, etc. Of course there are tradeoffs but I like them for certain use cases.<p>[0]: <a href="https:&#x2F;&#x2F;sylabs.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;sylabs.io&#x2F;</a>

Podman is amazing for CI and dev environments:<p>* It doesn&#x27;t require special privileges to run<p>* It runs containers as the same UID as the calling user, so directories mounted into the container can&#x27;t be polluted with files belonging to other UIDs, as Docker tends to do<p>* It&#x27;s easy to get it to only pull images from custom registries. With docker, this requires some fiddling (at least last I tried).<p>The only thing missing is Debian packages in Debian Stable (currently available in Bullseye aka testing).

I find the podman integrates with systemd well claims a bit dubious.<p>Last time I checked both podman and CRI-O double fork and have reimplemented process supervision from scratch (through conmon) whilst they could get all those features for free if they didn&#x27;t daemonize themselves and let systemd handle running things in the background and do the process supervision.<p>I found this very surprising. I still don&#x27;t understand why they made that choice.

For anyone not using Podman just because lack of docker compose like functionality, there are multiple alternatives.<p>* Podman&#x27;s official stance is to use Kubernetes YAML. The provide tools to generate this as well as convert docker-compose to kubeyaml<p>* podman-compose is not official, but it works well. you have to note that its not 100% compatible with dc but a lot of dc files run out of the box without modifications<p>* ansible with podman<p>* i personally use the podman cli with makefiles to get docker-compose like functionality<p>* also, podman v2 supports a docker comptaible rest api so its possible that docker-compose can be modified to support podman in the future

&gt; One of Podman’s greatest advantages is its complete CLI compatibility with Docker. In fact, when building Podman, Docker users can adapt without any significant changes. For example, you can use the alias command to create a docker alias for Podman: `alias docker=podman`<p>Wow that&#x27;s a great adoption hack; just alias another program as another

I like the daemonless architecture a lot, but until there&#x27;s a quick and painless way to install it on OSX and Windows developer machines, you&#x27;re going to see very limited uptake.

Last time I tried podman it looked very cool being rootless and daemonless, except that since it&#x27;s rootless I couldn&#x27;t create the necessary network interfaces... making it pretty much worthless.

After reading this thread, I realize that the 4 GB (average) of my vagrant box images wasn&#x27;t <i>that</i> bad in retrospect, and that loaded a fully baked OS with packages from apt and just required VirtualBox and its extension pack. (this was not an optimized setup, I was such a noob at the time, just trying to wrangle our developer tools)<p>The only reason I moved to docker years ago was I wanted a tighter reproducible workflow (ie docker-compose up) for all other developers, turns out vagrant has (at some point in the last 5 years) solved this problem too, with packer (I didn&#x27;t know about this 5 years ago for whatever reason)<p>Makes me long for going back to that. At least once you built your base image, it was <i>done</i> and you could just make fast linked images from there. I bet with Alpine you could get a vagrant up in a few minutes tops, then it boots in seconds.<p>Never liked Ruby as a config language, but doing complex things like setting up shared networks and folders was a breeze comparatively I felt.<p>Never used vagrant in a production capacity though. Everywhere I ever worked always deployed to bare metal or essentially we bought our services (cloud functions, semi-managed containers etc)

Daemonless and rootless are killer features.<p>The lack of filesystem isolation and volume support are the last things keeping me from jumping ship.

Meta: there seems to be two kind of comments here...<p>1) why the hell would you want Docker-in-Docker<p>2) I can’t live without Docker-in-Docker

Sometimes I feel grateful having let all these ephemeral things things pass by without having needed to learn something that was going to stop being &quot;in&quot; so soon.

Podman, buildah, and skopeo are insanely awesome tools that let you transition an image from a public registry to your own private deployment in a jiffy. The article doesn&#x27;t mention it but podman can also dump a pod configuration you can use in kubernetes and open shift&#x2F;okd so if you&#x27;re not a yaml wizard you can still get stuff running containerized.

I&#x27;ve used Podman, SystemD and Buildah.<p>It&#x27;s great to hack around with. SystemD is particular is very polarizing and I don&#x27;t want to start a flamewar, but it helped me &quot;get&quot; init systems.<p>Podman seems to have a better security model than Docker, so we were trying it out at work too.<p>Redhat is clearly very invested in this.<p>There was excellent documentation and good tooling around all this.

Nope, it&#x27;s still not there, simplest things work but as soon as you diverge to something more complex it fails.<p>I tried using it as Docker replacement, but various tools that use docker (using dockerized pip in serverless framework) and complex docker-compose files (dockerized Magento) were broken.

I really struggled with podman, a bunch of containers (I cant remember which ones) didn&#x27;t work, and build tools choked as well.<p>At work we dont get root access so I thought it would be perfect but sysadmins couldn&#x27;t figure out how to configure either so was bust there too.

Any docker Podman corner cases that people have run into? I like the idea of rootless containers but I can do that ether easily by adding one line to my dockerfile or adding a user flag when I run a docker container. What other advantages am I getting?

Does Podman let you get the real SHA-256 digest of the image, pull it to a machine, and then launch the image only if it matches the specified SHA-256 digest?<p>The podman &#x27;create&#x27; command docs [1] do not list a &#x27;--digest&#x27; argument. I found no example of specifying the digest as part of the image name.<p>Docker does not support this. You can get an image file and calculate the SHA-256 digest of it. But Docker does not let you say &quot;start a container using this particular SHA-256&quot;. That&#x27;s because the SHA-256 that docker uses internally is just a hash of dockerd&#x27;s internal metadata about the image. That metadata is different on every machine. I felt extremely disappointed when I discovered this. And I lost a lot of respect for the Docker developers.<p>If you want to deploy based on image hash with Docker, you must add your own verification step before creating each container instance. Terraform&#x27;s docker plugin does not perform this step. And the local dockerd will not check the SHA-256 on reboot. If you just follow Docker&#x27;s &quot;best practices&quot; and use the provided tools, all of these sources will needlessly have root on everything you deploy:<p>- Your docker image repository<p>- Any machines with credentials to push to your docker image repository (CI system, engineer machines, anyone with access to engineer machine backups)<p>- Anyone with permission to push any public image that you use. The way most CI systems are configured, all jobs get the same credentials. So this includes your build and test jobs. That fancy linter Docker image you&#x27;re using? Anyone who can push to its Dockerhub account can replace the image version you selected with one that roots all of your systems.<p>- Dockerhub itself<p>Why would RedHat switch to a Docker replacement without this crucial security feature?<p>Am I missing some important point that makes all of this ok?<p>[1] <a href="http:&#x2F;&#x2F;docs.podman.io&#x2F;en&#x2F;latest&#x2F;markdown&#x2F;podman-create.1.html" rel="nofollow">http:&#x2F;&#x2F;docs.podman.io&#x2F;en&#x2F;latest&#x2F;markdown&#x2F;podman-create.1.htm...</a>

Assuming that it&#x27;s Red Hat&#x27;s fault that there is no el8 package for Docker, I think Red Hat is really shooting themselves in the foot by not supporting Docker in RHEL8. (You can still install the el7 version of Docker on el8 by performing an enable&#x2F;disable&#x2F;enable&#x2F;disable&#x2F;... module dance, but... why isn&#x27;t there just an el8 version?)

And so it starts, the journey to something else. Thanks Docker.

I am still thinking whether to include Docker or Podman in my book[0]? Since I am leaning towards RH tech (like SELinux), I think I will go with Podman. I think it&#x27;s the future on Fedora-based systems.<p>[0] <a href="https:&#x2F;&#x2F;deploymentfromscratch.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;deploymentfromscratch.com&#x2F;</a>

Podman is really a nice piece of software, we are using it successfully on debinan 10.

I&#x27;m finding podman great for my (not actually that complicated) docker use-cases

Where can I find documentation about the security benefits claimed for podman?

I&#x27;m not familiar with Podman but I welcome any alternative to Docker.

Lack of a drop-in docker-compose replacement is what stopped me last time I tried podman. podman-compose looked decent but it lacked a bunch of basic features and didn&#x27;t work smoothly last time I tried it.

Is the Docker daemon actually a huge security hole?<p>I see people championing Podman because it&#x27;s daemonless but is it actually beneficial or is it championed because it&#x27;s Red Hat and a case of security check boxing?

Does it support GPU when installed on Windows 10 WSL1?

Is it feasible to use podman to deploy to AWS?

He literally says Ah pah shae, no its Apache, its been around forever. (x) Doubt

I&#x27;m an enduser and I expect things to &quot;just work&quot;. That seems to match a lot with Red Hat&#x27;s Linux distros (i.e. RHEL): &quot;Just use it, it&#x27;s a defacto standard so most third party software is tested on it, don&#x27;t worry about underlying components as Red Hat has made sane choices for you.&quot;<p>That&#x27;s the theory (and Red Hat&#x27;s marketing). I wish I could just be using CentOS&#x2F;RHEL and not worry about the choices Red Hat makes. But the shit is piling up (sorry for my harsh words, no offence intended).<p>So, let&#x27;s containerise something simple on top of the &quot;centos&quot; container image, let&#x27;s say postfix. Oh, postfix on centos needs systemd for logging. But systemd in a container is a nightmare. You <i>can</i> get systemd to work in a container <i>if</i> the host system is using containerd <i>and</i> you pass certain special files from the host to the container. So just use Podman instead of Docker, right? Podman has functionality to make systemd in a container work. OK, I can run my container on my fat workstation (a Centos system with Podman). But is it still portable? Can I just run it in Github Actions, AWS ECS, a Windows machine with Docker Desktop? Nope. It&#x27;s not portable.<p>Let&#x27;s put the systemd rant aside (I really like the systemd CLI UX, but the architecture (dbus, etc) seems to only serve one usecase properly (Desktop systems) and seems to be heavily wrong for the container usecase).<p>Let&#x27;s rant about the architectural choices Red Hat is making for containers. Before Red Hat started to get involved there was the open source, (now) cross-platform containerd that a lot of tools are building on top. It consumes the low level runtime runc and both provides an API for Kubernetes (CRI) and additional things. It is highly pluggable and therefore the &quot;only container runtime you&#x27;ll ever need&quot;. And it&#x27;s purely community governed (CNCF).<p>What is Red Hat doing? Are they building their container tools on top of containerd? Nope. They create their own low level container runtime (crun), their own mid level container runtime (cri-o). But cri-o only covers what&#x27;s needed for Kubernetes. So to be able to build container images, etc (the &quot;working with containers on a single machine&quot; usecase) additional tools are needed (podman, buildah, skopeo) and they have to implement the missing functionality themselves. So Red Hat&#x27;s Open Shift (Kubernetes distribution) builds on an entirely different stack than Podman.<p>Fragmentation everywhere. Was that really necessary?<p>Why should I care as an enduser? Well, I can inspect and debug all tools that use containerd the same way (i.e. using the &quot;ctr&quot; tool). I can relatively easily even write my own tools that use containerd (via it&#x27;s grpc api) and can access the resources (containers, images, etc) that these tools are managing to solve my special custom needs.<p>For the Red Hat stuff everything is different. I could work with cri-o using crictl and write custom tools using cri interface. For Podman I would need to use Podman&#x27;s API. (Which has annoyingly entirely changed between v1 and v2).<p>ok, enough rant (I could go on with how hard it is to get an up to date version of podman on a supported RHEL system even with app streams, that UBI images don&#x27;t provide podman&#x2F;buildah&#x2F;skopeo, etc etc etc).<p>Please don&#x27;t mistake me: Podman, cri-o, crun, open shift are all amazing technologies. And it&#x27;s great that they are mostly open source via upstream projects. But I wish this whole fragmentation hadn&#x27;t happened. For me as an enduser it&#x27;s nightmare.