Exploring Podman: A More Secure Docker Alternative

Podman was good when it supported systemd unit files, so I could auto start and auto update containers, even entire pods with systemd.<p>Then they removed that in favor of Quadlet. Now in order to do a single container I can do a unit file, but for a pod, I need to use a Kubernetes cluster definition.<p>Plus, unlike Docker their containers bow to SELinux definitions, so I have repeatedly struggled with containers unable to access mapped directories.<p>So what is it, Podman? Should I just use Kubernetes? Should I just make dedicated directories for everything instead of mapping logical places for things?

I almost never see what is IMHO the killer feature of Podman touted as a reason to prefer it over Docker: Docker mangles your network config. It is a <i>nightmare</i> trying to run Docker and KVM virtual machines with bridges at the same time. Podman on the other hand plays very nice OOTB.<p>I&#x27;ve also had a lot of VPNs break and&#x2F;or be broken by Docker. I don&#x27;t know much about the way podman does networking, but whatever it is they did a good job thinking it through and it has yet to interfere with anything else I do. I definitely can&#x27;t say the same for Docker

Glad that podman is getting more traction tbh, too many tools are built with the assumption that people add the sudo docker group which break if you have any kind of security conscious docker setup (such as not blindly giving it root access).

As a certified RHEL engineer I have been using Podman for years already.<p>To be perfectly honest I do enjoy it for all my personal container use. But at work I still use docker for our developers. There is so far nothing I can offer our developers that can match docker compose in simplicity.<p>We even use buildah in CI pipelines when we make container images, but specifically for developer end users docker compose is still dominant.

<a href="https:&#x2F;&#x2F;www.techrepublic.com&#x2F;article&#x2F;how-to-fix-the-docker-and-ufw-security-flaw&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.techrepublic.com&#x2F;article&#x2F;how-to-fix-the-docker-a...</a><p>I almost got burned by this.

I still don&#x27;t really understand why Red Hat invests into creating a Docker alternative, but I really like it. Podman does pretty much everything Docker does, but it has more features (e.g. pods) or the way Podman does it tends to be better (e.g. daemonless container spawning process).<p>The main issue to a common developer would be Docker compose I suppose, which if you use simple compose files, there&#x27;s actually a podman-compose script that attempts to be compatible with the Docker compose spec.<p>There&#x27;s also using Podman as a backend for docker-compose [1]. Overall, in 2024, I see no reason using Docker at least on Linux boxes. Not sure how Podman fares on macOS or Windows.<p>[1] <a href="https:&#x2F;&#x2F;www.redhat.com&#x2F;sysadmin&#x2F;podman-docker-compose" rel="nofollow">https:&#x2F;&#x2F;www.redhat.com&#x2F;sysadmin&#x2F;podman-docker-compose</a>

Sounds good, I like their security first approach and some of the decisions they&#x27;ve made, going for secure defaults out of the box, and that it works with docker compose. I wonder if podman gains enough traction, at some point, they decide to go their own way with regards to the commands and the yml, because right now it seems to be a tool that &#x27;hangs on to&#x27; docker and docker&#x27;s compose file format.<p>It would be good to have a swarm alternative in podman, it seems like k8s is a crutch for lack of orchestration. With their good security hat on they could probably come up with a sane, simple way of running containers at small scales without having to dive into a PhD in k8s which doesn&#x27;t have secure defaults out of the box, while maintaining compatibility with docker compose format.<p>Anyway that&#x27;s a good intro thanks for sharing, I&#x27;ll be trying it later.

I agree that rootless containers and isolated namespaces are critical security features. But with docker rootless, this is also possible and not complicated. You just have to do it. I have written a blog post to set up Mastodon in docker rootless with all the best practices currently available [1].<p>The benefit with sticking with docker is that accessibility is better: More communities, more blogs, broad availability of docker compose configs, more peers knowing how to use it etc. In the end, both podman and docker run processes in isolated namespaces on the host.<p>[1]: <a href="https:&#x2F;&#x2F;du.nkel.dev&#x2F;blog&#x2F;2023-12-12_mastodon-docker-rootless&#x2F;" rel="nofollow">https:&#x2F;&#x2F;du.nkel.dev&#x2F;blog&#x2F;2023-12-12_mastodon-docker-rootless...</a>

Don&#x27;t take me wrong. Podman is great and I use it instead of docker nowadays but when I started using it thinking it was just a docker replacement I got burned by UID and GID mappings, SELINUX policies, missing DNS configuration and more.<p>More than once I wrecked my whole setup running system migrate as a way to fix problems. It has a whole thing about security ACLs, ID mapping and labels. A chmod -R under your home folder will probably kill all your containers.<p>While I&#x27;m happy with the results it was far from an &quot;it just works&quot; solution like Docker. I imagine things probably have been improved since I started using it.

Big picture, it feels like Podman is essential the same way Linux used to be.* It doesn&#x27;t matter if very few people use it -- it&#x27;s presence <i>prevents</i> its much bigger privately-owned brother(s) from doing terrible things.<p>*(I say &quot;used to be&quot; because Linux is now even more essential and central, not less.)

One other thing podman (unlike Docker) is missing is ability to run x86 images of Apple silicon under Rosetta. QEMU turns out to be too slow for real use.

One of the nice things about podman is that it&#x27;s super easy to configure image caches. So instead of rewriting all my image references to use my local cache tool, I can just set a cache directive in podman and everything works transparently.

I had some issues with podman working on my m1 mac about 1-2 yrs ago.<p>I’ll give it a shot again. Looks like it has matured very fast.

I have such a huge arsenal of custom tools to manage Docker, that I envy Podman users because I can&#x27;t move to it because of this technical debt.<p>I just keep hoping that Docker isn&#x27;t that bad and is a good alternative to Podman, because I&#x27;ve read mostly good things about the it, while Docker usually gets dragged through the dirt.

I tend to just make and run shell scripts that configure and run bubblewrap[1].<p>Everything is nicely explicit and allows for a good mental model of what&#x27;s going to happen when you run it.<p><pre><code> source &quot;&#x2F;path&#x2F;bwrap_helper.sh&quot; FLAGS=( ${FLAGS_ROOTFS_DISTROX_MIN[@]} ${FLAGS_ENV_XDG_GUI[@]} ${FLAGS_PULSE[@]} ${FLAGS_GPU_ACCEL[@]} --new-session --bind &#x2F;path&#x2F;jail123 &#x2F;home&#x2F;user ) exec bwrap &quot;${FLAGS[@]}&quot; --seccomp 10 10&lt; &#x2F;path&#x2F;a_filter.bpf -- &#x2F;usr&#x2F;bin&#x2F;gui_app &quot;$@&quot; </code></pre> [1] &lt;<a href="https:&#x2F;&#x2F;github.com&#x2F;containers&#x2F;bubblewrap">https:&#x2F;&#x2F;github.com&#x2F;containers&#x2F;bubblewrap</a>&gt;

&gt; Podman is designed to help with this by providing stronger default security settings compared to Docker. Features like rootless containers, user namespaces, and seccomp profiles, while available in Docker, aren&#x27;t enabled by default and often require extra setup.<p>Seccomp has been enabled by default since 2015: <a href="https:&#x2F;&#x2F;github.com&#x2F;moby&#x2F;moby&#x2F;pull&#x2F;18780">https:&#x2F;&#x2F;github.com&#x2F;moby&#x2F;moby&#x2F;pull&#x2F;18780</a><p>It is true that Rootless isn&#x27;t enabled by default but its &quot;extra setup&quot; can be done with a single command (`dockerd-rootless-setuptool.sh install`)

Can anyone tell me why neither Docker nor Podman allow you to dynamically modify forwarded ports? It would allow zero-downtime updates of containers (starting new container, wait for it to be healthy, update port forwards, stop old container).<p>And no, reverse proxies do not solve this problem; lots of protocols (e.g. SSH) have no equivalent to X-Forwarded-For for identifying the remote host.

Could anyone please advise a paper on Docker architecture, discussing its design choices (e.g. client-server model) in detail?

Also worth mentioning that while docker has been catching up by offering a rootless mode for years now, it insists on running a daemon process.<p>That daemon is a subtle but incomensurate burden when adopting the least privilege principle.<p>In environments running multiple hosts which themselves run multiple containers, typically: k8s, it forces your hand in either giving in and grant docker (the daemon) root privilege if any one of your container needs root, or to exclude that container from running in that environment altogether (since it would fail to execute if the docker daemon is in rootless mode). Of course the most secure and wise option would be to refractor that container and whatever it&#x27;s doing to run rootlesssly, but sometimes this is simply not a reasonable or even possible option in order migrate massive complex platform of hundreds of micro services with its own history and justified security exceptions.<p>K8s (and Openshift, which adopts a stronger security by default configuration set) provides control over which service accounts is granted such exception.<p>tl-dr: use podman&#x2F;buildah rather than docker, use openshift rather than vanilla k8s.

Can&#x27;t do nfs mounts rootless, so I don&#x27;t really see the point since my whole infrastructure is using nfs mounts and docker already.

The comparison is unfair in that it compares docker-as-root vs rootless podman.<p>A more sensible comparison would be between docker rootless and podman rootless.

deleted

Somebody should tell them Docker can run in rootless mode.