For most developers, docker is the first tool that comes to their minds for containerization. It is because of broad community support and ease of running. But docker is not the only tool available to manage containers; plenty of other tools are available in the market. In this blog, we will discuss another excellent tool to manage containers called Podman. We will also discuss the difference between podman vs docker and will go over:
- What is docker
- How docker works
- The disadvantage of docker.
- Why do we need a podman?
- Podman vs docker
- Podman and docker commands
- Conclusion
- A few extra tips
Let’s first understand what docker is.
What is docker?
Docker is a tool designed to create, deploy, and run applications using containers. Docker is the most popular open-source project available to manage containers. You can package your application with docker and run them in a loosely isolated environment called a container. Container and very lightweight and contains everything needed to run the application, enabling us to easily share the containers with others without worrying about what is currently installed on the other person’s host.
Now that we have a basic understanding of docker, let’s further understand how docker works with simple architecture.
How does docker works?
Docker contains the following components:
Docker Daemon: It is a background process that persists data into a single folder. Daemon keeps track of containers, images, volumes, service definitions, and secrets.
Docker CLI: A command-line tool to interact with docker.
Registry: A central repository where the docker images are stored.
Docker uses docker CLI to communicate with the docker daemon. A Docker daemon is nothing but a process that is running in the background.
Issue with docker
Following are some of the issues while running docker as a container.
- Docker containers run as a single process. So at any point, if the docker daemon fails, all the subsequent processes will also fail, which makes the docker a single point of failure.
- Root access is required to perform operations in a docker container.
- Another disadvantage of using docker is that as we need root access to run containers, the docker daemon can be a security concern.
All the above issues forced us to look at something beyond docker and explore podman and podman successfully overcame most of the problems associated with docker.
What is Podman?
As per the podman official doc, Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System. In podman, we can run the container either as root or rootless.
If we look closely at the podman architecture, we can quickly identify no daemon process present in the case of podman. Podman directly interacts with the image registry.
Podman vs docker
Podman and docker do the same thing: manage images and containers. Podman has a Docker-compatible API. Hence almost all commands from the Docker CLI are also available in Podman CLI. Both podman and docker have similar syntax; replace docker with podman, and you are ready to roll.
The significant difference between docker and podman lies in their architecture. Docker has a client-server architecture which means you have to use docker CLI, to communicate with the docker daemon. On the other hand, the podman has a daemonless architecture. In podman, there is no common daemon that the CLI tool communicates with. Podman uses systemd to manage containers.
The second difference between podman and docker is that the docker container runs with root privileges. On the other hand, Podman architecture, by contrast, allows you to run the containers under the user starting the container (fork/exec), and this user need not have root access to run containers. Only the particular user running Podman can only see and modify their containers.
The final difference between podman and docker is that since podman containers are running rootless and any attacker hacks a container, this attacker will still have normal user access to the host. While in the case of docker, if a hacker captures any container, he will have root access to the host. So in the case of podman, this adds a natural layer of protection.
Podman vs docker commands
Approx. all the podman and docker commands are similar. Let’s explore some of the docker and podman commands and see the outputs.
Installation
How to Install Podman
For some operating systems, Installing a podman is a bit difficult compared to docker. Please follow this link to install Podman.
How To install Docker
Installation of docker is relatively easy compared to podman, as docker is more mature. Please follow this link to download docker.
Check version
Check the version of docker and podman by simply running the –version command.
Check Podman version
$ podman --version podman version 0.3.2-dev
Check Docker version
➜ ~ docker --version Docker version 20.10.3, build 48d30b5
Pull an image
Pull command to download an image from the registry. It can be a public or private registry, and if the registry is not defined, images are pulled from the public Dockehub repo. In the case of podman, we can set it to pull images from quay.io or the RedHat repo.
Podman pull an image
$ podman pull httpd Trying to pull docker.io/library/httpd:latest... Getting image source signatures Copying blob sha256:69692152171afee1fd341febc390747cfca2ff302f2881d8b394e786af605696 25.89 MB / 25.89 MB [======================================================] 2s Copying blob sha256:7284b4e0cc7b197edc206f815c5b24e67b9ed29abd9bbd8ae4bfdd5540bec6ec 176 B / 176 B [============================================================] 0s Copying blob sha256:3678b2d55ccdc6dcbe11cf1ea518ab7426ab37656d94213f637bd843dc6b6ca4 2.67 MB / 2.67 MB [========================================================] 0s Copying blob sha256:ab492cf0b2a4f47ba02a478521476bf00c2740f444fc658148b7dc919ed64a7f 23.34 MB / 23.34 MB [======================================================] 2s Copying blob sha256:991f7f97a9d859baba12204fea641d5644a2f988246e4554836825b44fcc2bcb 298 B / 298 B [============================================================] 0s Copying config sha256:f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69 8.50 KB / 8.50 KB [========================================================] 0s Writing manifest to image destination Storing signatures f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69
Docker pull an image
➜ ~ docker pull httpd Using default tag: latest latest: Pulling from library/httpd 69692152171a: Pull complete 7284b4e0cc7b: Pull complete 3678b2d55ccd: Pull complete ab492cf0b2a4: Pull complete 991f7f97a9d8: Pull complete Digest: sha256:e4c2b93c04762468a6cce6d507d94def02ef4dc285278d0d926e09827f4857db Status: Downloaded newer image for httpd:latest docker.io/library/httpd:latest
Verify if images pulled successfully
Docker/podman images command will display all the images present in the system.
Podman verify images
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/httpd latest f3cffeea581b 4 days ago 142MB
Docker verify images
➜ ~ docker images REPOSITORY TAG IMAGE ID CREATED SIZE httpd latest f3cffeea581b 4 days ago 138MB
Inspect images
inspect command will display detailed information on one or more images/container
Podman inspect
$ podman inspect docker.io/library/httpd [ { "Id": "f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69", "Digest": "sha256:0dbde9c00d906fe47f0f8eee60008d4015d105af53a6f7378594dbdf868c16b2", "RepoTags": [ "docker.io/library/httpd:latest" ], "RepoDigests": [ "docker.io/library/httpd@sha256:0dbde9c00d906fe47f0f8eee60008d4015d105af53a6f7378594dbdf868c16b2" ], ...........<Supressed output>................. ...........<Supressed output>................. ] }, "Labels": null, "Annotations": {} } ]
Docker inspect
➜ ~ docker inspect httpd [ { "Id": "sha256:f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69", "RepoTags": [ "httpd:latest" ], "RepoDigests": [ "httpd@sha256:e4c2b93c04762468a6cce6d507d94def02ef4dc285278d0d926e09827f4857db" ], "Parent": "", ...........<Supressed output>................. ...........<Supressed output>................. ] }, "Metadata": { "LastTagTime": "0001-01-01T00:00:00Z" } } ]
Run image
The docker run
command creates
a container layer over the specified image using the specified command. There are so many flags we can add to the run command. Please follow this link to get more information about the run command.
In the below example, we use the -d option to run the container in the background. we are also specifying the -p option to specify ports
Podman Run image
$ podman run -d -p 8080:80 docker.io/library/httpd 1ab6d34646e245b857e306cffabce263819622b772d414109a415cd823d7ce86
Docker Run image
➜ ~ docker run -d -p 8080:80 httpd f98dd3054a446ef8d52712177956413595a7d80cecb9f97ff60926cac31ebadc
Verify container process
We can use the ps command to check the running containers.
Podman ps command
$ podman ps CONTAINER ID IMAGE COMMAND CREATED AT STATUS PORTS NAMES 1ab6d34646e2 docker.io/library/httpd httpd-foreground 2021-05-16 08:13:21 +0000 UTC Up 7 seconds ago 0.0.0.0:808->80/udp, 0.0.0.0:808->80/tcp quizzical_perlman
Docker ps command
➜ ~ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f98dd3054a44 httpd "httpd-foreground" 20 seconds ago Up 18 seconds 0.0.0.0:8082->80/tcp charming_poitras
Verify container output
To verify if the container is running as expected, listen to port 8080 and verify the output.
Access Podman container
$ curl localhost:8080 <html><body><h1>It works!</h1></body></html>
Access Docker container
➜ ~ curl localhost:8080 <html><body><h1>It works!</h1></body></html>
Delete a container
The kill command deletes a running container. To delete a container, specify the container id along with the delete command.
Podman delete a container
$ podman kill 1ab6d34646e2 1ab6d34646e245b857e306cffabce263819622b772d414109a415cd823d7ce86
Docker delete a container
➜ ~ docker kill f98dd3054a44 f98dd3054a44
Remove image
To remove an image from the host VM, run the rmi command. rmi command stands for remove images. If you are getting any errors while removing images, pass -f flag to remove the images forcefully.
Podman remove an image
$ podman rmi -f docker.io/library/httpd f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69
Docker remove an image
➜ ~ docker rmi -f httpd Untagged: httpd:latest Untagged: httpd@sha256:e4c2b93c04762468a6cce6d507d94def02ef4dc285278d0d926e09827f4857db Deleted: sha256:f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69
My opinion on podman vs docker
There is no clear conclusion on whether podman will replace docker or not. I feel both the tools have enough fan base, and both the tools can coexist together. Maybe in the dev/stage server, people will use docker, and in production, they will use podman because it provides more security over docker containers.
Conclusion
I hope you have found this article useful and have learned something. We started with the basics of docker and went deep dive into podman. We also understand the fundamental difference between the two. Finally, We have explored the podman and docker commands. Please do let me know in the comment box.
Happy container exploration:)