Breder.org

Podman is Great

Podman is an alternative to Docker to manage building and running containers on Linux computers.

It has a familiar CLI API for those coming from Docker and I've been experimenting with it for a couple of days and I think it is excellent in its own right.

For one, it completely displaces Docker for me for the use cases I care about.

Non-Root Containers

Podman has the advantage of being designed and developed after Docker, so it adopted all the good parts and simplified where it could.

By default, the containers can run without root. It means all the build and run commands can be executed without sudo, from an unprivileged user.

This means that in the hypothetical case of an attacker breaking out of the container, it will have access to a non-root user, which is an additional layer of security.

No Privileged Daemon

Also unlike Docker, Podman doesn't require a privileged daemon running at all times.

While in Docker the userspace commands are just calls to the privileged daemon to perform the desired operations, with Podman, containers can be built and ran strictly from userspace.

This further reduces complexity and attack surface.

Standards-based

While Docker has shown moves to lock-in and monetize on some fronts (such as requiring a license for Docker Desktop), Podman is built on top of the OCI (Open Container Initiative), a set of standards for container interoperability.

This means that the risk of being locked-in to some proprietary solution is lower, as others are -- at least in principle -- able to step in implement the same functionality by complying to the same standards.

Give it a Try

If you are on Linux, try it out: podman.io.

# Ubuntu/Debian
sudo apt install podman

# Arch Linux
sudo pacman -S podman

# Example (pulling container image from docker.io)
podman run --rm -it docker.io/busybox