[TriLUG] docker vs podman

[Mauricio Tavares via TriLUG]

I should have not hit send so fast...

On Wed, Aug 19, 2020 at 4:37 PM Mauricio Tavares <raubvogel at gmail.com> wrote:
>
> On Wed, Aug 19, 2020 at 3:39 PM Hrivnak, Michael <mhrivnak at hrivnak.org> wrote:
> >
> >
> >
> > On Wed, Aug 19, 2020 at 10:10 AM Mauricio Tavares via TriLUG <trilug at trilug.org> wrote:
> >>
> >> The list seems to be too quiet, so let me throw some gasoline-laden logs:
> >>
> >> Podman as replacement of docker
> >>
> >> Pros:
> >> 1. More secure (?) because it does not use a daemon and runs rootless
> >
> >
> > Rootless is a big deal. Many people set up docker to let them run containers as their normal user and then forget that they've effectively enabled passwordless-sudo. Yes it enables you to "docker run foo" without sudo, but the docker daemon doing the work is running as root! https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
> >
> > Podman will truly run your container without any root privileges necessary.

      As I asked when I accidentally sent an incomplete reply, how
does that affect PCI passthrough? Can I still do that? If so, are
there extra abstraction layers being added?

This also reminds me I need to put some time on LXC.

> >
> > An underappreciated perk of being daemonless is that your UID extends into containers, which makes it possible to identify you in the host system's audit log. When things go sideways, that can make a big difference.
> >
      That reminds me of some research I need to do to answer a little
weeble bit of a question I have. Let me make myself a reminder so I
will not forget about it.

>
> >> 2. Docker does not support cgroup v2, which podman does
> >> 3. Docker has problems running in centos8. Podman comes installed in centos8.
> >
> >
> > I assume that's just because centos8 and RHEL 8 default to cgroups v2? Presumably when docker adds support for cgroups v2 it should work fine.

      There is also the issue of docker and firewalld.

> >
> >>
> >> 4. Podman can run docker commands
> >
> > "alias docker=podman" goes a long way.
> >
> >>
> >> 5. Docker seems to have issues with firewalld
> >> 6. Fedora cheerleaders love podman
> >
> >
> > 7. Rootless container image build. This was a proverbial game changer. It enables you to add container image builds to any normal CI pipeline; no need to install a service that runs as root. You can run "podman build" the same way you run a compiler.
> > 8. Adheres to Open Container Initiative standards

      Myth: Docker doesn’t support the OCI specifications work
(https://www.docker.com/blog/demystifying-open-container-initiative-oci-specifications/).
And besides, knowing people who use docker and jenkins together rather
successfully, what is your definition of "any normal CI pipeline?"

> > 9. You can use systemd on your host to run a container like any other service. You get the same look and feel while using familiar tooling (systemctl, journalctl, ...), but it's backed by a container.
> >
      Saying something is good because it integrates well with systemd
is an interesting use of "good"

> >>
> >>
> >> Cons:
> >> 1. No proper equivalent to docker-compose. podman-compose is not ready
> >> for prime time and really is a way to convert compose files into
> >> podman pods thingie
> >> 2. They would rather you use podman pods instead of docker compose,
> >> but by then you are using kubernetes so why not just use kubernetes
> >> and save the intermediate step?
> >
> >
> > That's comparing an apple to an industrial-scale orange grove. Running a small number of related containers in a pod using podman is trivial and sometimes useful. Running k8s is anything but trivial. Don't get me wrong; I'm a big fan of k8s and its ability to solve problems at large scale. But if you just need to run a few containers together on a machine, podman or docker is the right tool for the job.
> >
> > However, it can be convenient to define a Pod in similar ways whether you're running it in k8s or with podman.
> >
      Per https://www.redhat.com/sysadmin/compose-podman-pods the
config file for a pod is suprisingly close to that for a kubernetes
pod. Running kubernetes can be simple or, to use your quote, anything
but trivial *depending* on what you are trying to accomplish. I have
coworkers running kubernetes off their OSX laptops. What is the
difference between that and running podman to run a few pods?

If I want to go for resiliency (when I start thinking pods I want
resiliency, and that means clustering), I can put one kubernetes
cluster together about as quickly as a docker swarm. If you want to
talk about large scale, there are blokes out there who can make a
proper reliable and secure kubernetes cluster. And the online
solutions; we had a talk on trilug
(https://trilug.org/2020/02/06/Feb-13-my-homelab-away-from-home/) that
including when moving to the cloud solution makes sense.

> >>
> >> 3. Docker can run in rootless mode
> >> https://docs.docker.com/engine/security/rootless/
> >
> >
> > It appears to be "experimental", but it's nice to see them following podman's lead. ;)
> >
> >>
> >>
> >> 4. Docker has better docs
> >> 5. Fedora cheerleaders love podman
> >
> >
> > 6. Docker has some support for non-linux operating systems, which I guess matters to people who are into that sort of thing...
> >
      If Microsoft having an entire session of their website
(https://docs.microsoft.com/en-us/virtualization/windowscontainers/)
dedicated to docker containers including providing images is what you
meant by *some* support, then yes, docker offers *some* support for
non-linux operating systems.

> >>
> >> --
> >> This message was sent to: Michael Hrivnak <mhrivnak at hrivnak.org>
> >> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> >> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> >> Unsubscribe or edit options on the web  : https://www.trilug.org/mailman/options/trilug/mhrivnak%40hrivnak.org
> >> Welcome to TriLUG: https://trilug.org/welcome