Podman - as an alternative to Docker?

Last year, I had a chance to explore podman as an alternative to Docker. Here are some of my thoughts.

Note that some of the content of this post may be outdated.

• docker-ce is not officially supported in Redhat.

  • docker-ee is supported but the pricing is expensive.

• One alternative is to install centos repo for docker. But the support would not be available from Redhat.

• Another alternative would be to use Podman for running and building containers.

• Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System.

• Containers under the control of Podman can either be run by root or by a non-privileged user.

• Podman provides a Docker-compatible command-line front end that can simply alias the Docker CLI, alias docker=podman.

• Podman is a replacement for the Docker CLI, not the Docker engine API. They do have podman varlink for a remote API, but it does not follow the Docker API.

• Podman does not support docker-compose, which needs to communicate with the docker socket.

• Ansible provides docker_container and docker_image modules.

  • You can start docker containers in the remote host using an Ansible script.
  • This also requires the docker socket and does not work with Podman.

• Podman provides an interesting feature called pod. It is similar to a Kubernetes pod.

  • Basically, a pod is a group of containers that run on a single machine and share network, ports etc.
  • All pods have a container caller infra container, which exposes the ports for the pod and sleeps.
  • Containers can be added to a pod and container from a pod can be stopped and restarted once the pod is created as long as the infra container is running.
  • Containers added to a pod cannot expose any ports, since these are exposed by the infra container. If you need to expose any additional ports, you need to remove and recreate a pod.

• Podman provides a podman play command, which allows you to play containers and pods bases on structured text input (yaml file)

  • The podman play kube subcommand allows running pods and containers using a kubernetes yaml.

• Kompose is a tool that allows generating kubernetes yaml through a docker-compose file.

• Unfortunately, podman only allows playing kubernetes yaml generated by podman.

• Podman provides a podman generate kube command that generates the kubernetes yaml from running pods.

  • One can translate docker-compose to a set of docker run commands to start the containers manually, providing all environment variables.
  • If you are running them from inside a pod, then you don’t need to specify ports. In fact, the container won’t start if you try to expose a port from a container inside a pod.
  • Then once all containers are started, one can generate the kubernetes yaml to play it on any machine.

• An interesting feature of docker-compose is that it sets up a single network for your app.

  • What this means is that each container is in the same network and can be referenced by other containers using a hostname set to the container name.

• For a similar behavior using docker run commands, you can create a docker network.

  • This allows containers in the same network to be able to reference each other in a similar fashion.

• Unfortunately, the docker network commands are not supported by Podman yet. Although, there is a feature request for it.

  • For a similar feature in podman, you can give each container a static IP using --ip in podman run. And then use --add-host to provide a hostname to another container.
  • Another alternative is to add all containers to a single pod. Then you will be able to reference all containers using localhost. Although --add-host might still work if you need it.

References:

• https://podman.io/whatis.html

• https://github.com/containers/libpod/

• https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/

• https://opensource.com/article/18/10/podman-more-secure-way-run-containers

• https://github.com/muayyad-alsadi/podman-compose

• https://www.redhat.com/en/blog/why-red-hat-investing-cri-o-and-podman

• https://developers.redhat.com/blog/2019/01/15/podman-managing-containers-pods/

Comments

[Rich Asay]

Take a look at Singularity with a Docker image running inside. I like Singularity’s sort of glass bottom allowing access to the /mnt/ but still running an image with the benefit of rapid application bundling etc.

[Raphael Habereder]

Interesting, thx for the write-up!
I never had the time to do a comparison of both tools, so your effort is much appreciated!

To me it looks like podman can't completely replace docker as of yet.
I'm excited to see where podman goes with RedHats/IBMs backing.