‹ back home

Notes on Podman

2023-03-15 #notes #open-source

Podman is an alternative implementation of Docker which addresses some design issues in Docker. The most obvious/notable difference is that Podman doesn’t require a daemon running permanently, which is nice, but not a huge deal. It also has other design differences, but most of them are good ideas that have little to no impact in practice.

A big feature of Podman was that it was the first to implement rootless support. Rootless support means that there’s no process running as root involved (Docker’s daemon typically runs as root). The non-rootles mode isn’t great for security, since any potential security issue would quickly turn into privilege escalation. Nowadays, Docker has perfectly working rootless support, so Podman no longer has the advantage on this particular item.

I experimented with Podman for many months, but finally concluded that it’s not worth investing any more of my time and energy.

Podman is meant to work as a Docker drop-in replacement, but fails to achieve this goal for docker-compose. Effort has gone into podman-compose (which tries to re-implement docker-compose for Podman) and into making Podman itself work with docker-compose. Neither of these approaches work well, and for most of the project where I use docker-compose, I could not rely on Podman and needed to keep Docker around instead. This meant that during my months of experimentation with it, I still needed to keep Docker around, so I had had two products which did the same. But they each kept container images and other data separate, so often I’d end up pulling the same container twice (and have two copies on disk): one for Podman and another for Docker.

I’ve recently put an end to my experiments with Podman mostly because of this. At this point, it’s lost its main advantage and I still need Docker around and running. I think there’s a lot of interesting exploration left in the container space on Linux, but imitating Docker is unlikely to be the way to go. An imitation is unlikely to displace the existing implementation, and effort put into writing new container engines is best directed at new ideas and designs, and not just copying an existing one.

I do thank Podman did bring something good: it was first in implementing rootless support and the precedent pushed Docker to follow. But that’s about it.

— § —