[TriLUG] docker vs podman

Mauricio Tavares via TriLUG trilug at trilug.org
Wed Aug 19 16:37:47 EDT 2020 

On Wed, Aug 19, 2020 at 3:39 PM Hrivnak, Michael <mhrivnak at hrivnak.org> wrote:
>
>
>
> On Wed, Aug 19, 2020 at 10:10 AM Mauricio Tavares via TriLUG <trilug at trilug.org> wrote:
>>
>> The list seems to be too quiet, so let me throw some gasoline-laden logs:
>>
>> Podman as replacement of docker
>>
>> Pros:
>> 1. More secure (?) because it does not use a daemon and runs rootless
>
>
> Rootless is a big deal. Many people set up docker to let them run containers as their normal user and then forget that they've effectively enabled passwordless-sudo. Yes it enables you to "docker run foo" without sudo, but the docker daemon doing the work is running as root! https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
>
> Podman will truly run your container without any root privileges necessary.
>
> An underappreciated perk of being daemonless is that your UID extends into containers, which makes it possible to identify you in the host system's audit log. When things go sideways, that can make a big difference.
>
      How does that affect PCI passthrough?

>> 2. Docker does not support cgroup v2, which podman does
>> 3. Docker has problems running in centos8. Podman comes installed in centos8.
>
>
> I assume that's just because centos8 and RHEL 8 default to cgroups v2? Presumably when docker adds support for cgroups v2 it should work fine.
>
>>
>> 4. Podman can run docker commands
>
>
> "alias docker=podman" goes a long way.
>
>>
>> 5. Docker seems to have issues with firewalld
>> 6. Fedora cheerleaders love podman
>
>
> 7. Rootless container image build. This was a proverbial game changer. It enables you to add container image builds to any normal CI pipeline; no need to install a service that runs as root. You can run "podman build" the same way you run a compiler.
> 8. Adheres to Open Container Initiative standards
> 9. You can use systemd on your host to run a container like any other service. You get the same look and feel while using familiar tooling (systemctl, journalctl, ...), but it's backed by a container.
>
>>
>>
>> Cons:
>> 1. No proper equivalent to docker-compose. podman-compose is not ready
>> for prime time and really is a way to convert compose files into
>> podman pods thingie
>> 2. They would rather you use podman pods instead of docker compose,
>> but by then you are using kubernetes so why not just use kubernetes
>> and save the intermediate step?
>
>
> That's comparing an apple to an industrial-scale orange grove. Running a small number of related containers in a pod using podman is trivial and sometimes useful. Running k8s is anything but trivial. Don't get me wrong; I'm a big fan of k8s and its ability to solve problems at large scale. But if you just need to run a few containers together on a machine, podman or docker is the right tool for the job.
>
> However, it can be convenient to define a Pod in similar ways whether you're running it in k8s or with podman.
>
>>
>> 3. Docker can run in rootless mode
>> https://docs.docker.com/engine/security/rootless/
>
>
> It appears to be "experimental", but it's nice to see them following podman's lead. ;)
>
>>
>>
>> 4. Docker has better docs
>> 5. Fedora cheerleaders love podman
>
>
> 6. Docker has some support for non-linux operating systems, which I guess matters to people who are into that sort of thing...
>
>
>>
>> --
>> This message was sent to: Michael Hrivnak <mhrivnak at hrivnak.org>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web  : https://www.trilug.org/mailman/options/trilug/mhrivnak%40hrivnak.org
>> Welcome to TriLUG: https://trilug.org/welcome

More information about the TriLUG mailing list