[TriLUG] docker vs podman
Hrivnak, Michael via TriLUG
trilug at trilug.org
Wed Aug 19 15:39:37 EDT 2020
On Wed, Aug 19, 2020 at 10:10 AM Mauricio Tavares via TriLUG <
trilug at trilug.org> wrote:
> The list seems to be too quiet, so let me throw some gasoline-laden logs:
>
> Podman as replacement of docker
>
> Pros:
> 1. More secure (?) because it does not use a daemon and runs rootless
>
Rootless is a big deal. Many people set up docker to let them run
containers as their normal user and then forget that they've effectively
enabled passwordless-sudo. Yes it enables you to "docker run foo" without
sudo, but the docker daemon doing the work is running as root!
https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
Podman will truly run your container without any root privileges necessary.
An underappreciated perk of being daemonless is that your UID extends into
containers, which makes it possible to identify you in the host system's
audit log. When things go sideways, that can make a big difference.
2. Docker does not support cgroup v2, which podman does
> 3. Docker has problems running in centos8. Podman comes installed in
> centos8.
>
I assume that's just because centos8 and RHEL 8 default to cgroups v2?
Presumably when docker adds support for cgroups v2 it should work fine.
> 4. Podman can run docker commands
>
"alias docker=podman" goes a long way.
> 5. Docker seems to have issues with firewalld
> 6. Fedora cheerleaders love podman
>
7. Rootless container image build. This was a proverbial game changer. It
enables you to add container image builds to any normal CI pipeline; no
need to install a service that runs as root. You can run "podman build" the
same way you run a compiler.
8. Adheres to Open Container Initiative standards
9. You can use systemd on your host to run a container like any other
service. You get the same look and feel while using familiar tooling
(systemctl, journalctl, ...), but it's backed by a container.
>
> Cons:
> 1. No proper equivalent to docker-compose. podman-compose is not ready
> for prime time and really is a way to convert compose files into
> podman pods thingie
> 2. They would rather you use podman pods instead of docker compose,
> but by then you are using kubernetes so why not just use kubernetes
> and save the intermediate step?
>
That's comparing an apple to an industrial-scale orange grove. Running a
small number of related containers in a pod using podman is trivial and
sometimes useful. Running k8s is anything but trivial. Don't get me wrong;
I'm a big fan of k8s and its ability to solve problems at large scale. But
if you just need to run a few containers together on a machine, podman or
docker is the right tool for the job.
However, it can be convenient to define a Pod in similar ways whether
you're running it in k8s or with podman.
> 3. Docker can run in rootless mode
> https://docs.docker.com/engine/security/rootless/
It appears to be "experimental", but it's nice to see them following
podman's lead. ;)
>
> 4. Docker has better docs
> 5. Fedora cheerleaders love podman
>
6. Docker has some support for non-linux operating systems, which I guess
matters to people who are into that sort of thing...
> --
> This message was sent to: Michael Hrivnak <mhrivnak at hrivnak.org>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> https://www.trilug.org/mailman/options/trilug/mhrivnak%40hrivnak.org
> Welcome to TriLUG: https://trilug.org/welcome
More information about the TriLUG
mailing list