podman vs docker

Podman vs docker | which one to choose in 2023

For most developers, docker is the first tool that comes to their minds for containerization. It is because of broad community support and ease of running. But docker is not the only tool available to manage containers; plenty of other tools are available in the market. In this blog, we will discuss another excellent tool to manage containers called Podman. We will also discuss the difference between podman vs docker and will go over:

  • What is docker
  • How docker works
  • The disadvantage of docker.
  • Why do we need a podman?
  • Podman vs docker
  • Podman and docker commands
  • Conclusion
  • A few extra tips

Let’s first understand what docker is.

What is docker?

Docker is a tool designed to create, deploy, and run applications using containers. Docker is the most popular open-source project available to manage containers. You can package your application with docker and run them in a loosely isolated environment called a container. Container and very lightweight and contains everything needed to run the application, enabling us to easily share the containers with others without worrying about what is currently installed on the other person’s host.


Now that we have a basic understanding of docker, let’s further understand how docker works with simple architecture.

How does docker works?

how docker works

Docker contains the following components:

Docker Daemon: It is a background process that persists data into a single folder. Daemon keeps track of containers, images, volumes, service definitions, and secrets.

Docker CLI: A command-line tool to interact with docker.

Registry: A central repository where the docker images are stored.

Docker uses docker CLI to communicate with the docker daemon. A Docker daemon is nothing but a process that is running in the background.

Issue with docker

Following are some of the issues while running docker as a container.

  • Docker containers run as a single process. So at any point, if the docker daemon fails, all the subsequent processes will also fail, which makes the docker a single point of failure.
  • Root access is required to perform operations in a docker container.
  • Another disadvantage of using docker is that as we need root access to run containers, the docker daemon can be a security concern.

All the above issues forced us to look at something beyond docker and explore podman and podman successfully overcame most of the problems associated with docker.

What is Podman?

what is podman

As per the podman official doc, Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System. In podman, we can run the container either as root or rootless.

If we look closely at the podman architecture, we can quickly identify no daemon process present in the case of podman. Podman directly interacts with the image registry.

Podman vs docker

Podman and docker do the same thing: manage images and containers. Podman has a Docker-compatible API. Hence almost all commands from the Docker CLI are also available in Podman CLI. Both podman and docker have similar syntax; replace docker with podman, and you are ready to roll.

The significant difference between docker and podman lies in their architecture. Docker has a client-server architecture which means you have to use docker CLI, to communicate with the docker daemon. On the other hand, the podman has a daemonless architecture. In podman, there is no common daemon that the CLI tool communicates with. Podman uses systemd to manage containers.

The second difference between podman and docker is that the docker container runs with root privileges. On the other hand, Podman architecture, by contrast, allows you to run the containers under the user starting the container (fork/exec), and this user need not have root access to run containers. Only the particular user running Podman can only see and modify their containers.

The final difference between podman and docker is that since podman containers are running rootless and any attacker hacks a container, this attacker will still have normal user access to the host. While in the case of docker, if a hacker captures any container, he will have root access to the host. So in the case of podman, this adds a natural layer of protection.

Podman vs docker commands

Approx. all the podman and docker commands are similar. Let’s explore some of the docker and podman commands and see the outputs.

Installation

How to Install Podman

For some operating systems, Installing a podman is a bit difficult compared to docker. Please follow this link to install Podman.

How To install Docker

Installation of docker is relatively easy compared to podman, as docker is more mature. Please follow this link to download docker.

Check version

Check the version of docker and podman by simply running the –version command.

Check Podman version

$ podman --version
podman version 0.3.2-dev

Check Docker version

➜  ~ docker --version
Docker version 20.10.3, build 48d30b5

Pull an image

Pull command to download an image from the registry. It can be a public or private registry, and if the registry is not defined, images are pulled from the public Dockehub repo. In the case of podman, we can set it to pull images from quay.io or the RedHat repo.

Podman pull an image

$ podman pull httpd
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob sha256:69692152171afee1fd341febc390747cfca2ff302f2881d8b394e786af605696
 25.89 MB / 25.89 MB [======================================================] 2s
Copying blob sha256:7284b4e0cc7b197edc206f815c5b24e67b9ed29abd9bbd8ae4bfdd5540bec6ec
 176 B / 176 B [============================================================] 0s
Copying blob sha256:3678b2d55ccdc6dcbe11cf1ea518ab7426ab37656d94213f637bd843dc6b6ca4
 2.67 MB / 2.67 MB [========================================================] 0s
Copying blob sha256:ab492cf0b2a4f47ba02a478521476bf00c2740f444fc658148b7dc919ed64a7f
 23.34 MB / 23.34 MB [======================================================] 2s
Copying blob sha256:991f7f97a9d859baba12204fea641d5644a2f988246e4554836825b44fcc2bcb
 298 B / 298 B [============================================================] 0s
Copying config sha256:f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69
 8.50 KB / 8.50 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69

Docker pull an image

➜  ~ docker pull httpd
Using default tag: latest
latest: Pulling from library/httpd
69692152171a: Pull complete
7284b4e0cc7b: Pull complete
3678b2d55ccd: Pull complete
ab492cf0b2a4: Pull complete
991f7f97a9d8: Pull complete
Digest: sha256:e4c2b93c04762468a6cce6d507d94def02ef4dc285278d0d926e09827f4857db
Status: Downloaded newer image for httpd:latest
docker.io/library/httpd:latest

Verify if images pulled successfully

Docker/podman images command will display all the images present in the system.

Podman verify images

$ podman images
REPOSITORY                TAG      IMAGE ID       CREATED      SIZE
docker.io/library/httpd   latest   f3cffeea581b   4 days ago   142MB

Docker verify images

➜  ~ docker images
REPOSITORY                    TAG        IMAGE ID       CREATED        SIZE
httpd                         latest     f3cffeea581b   4 days ago     138MB

Inspect images

inspect command will display detailed information on one or more images/container

Podman inspect

$ podman inspect docker.io/library/httpd
[
    {
        "Id": "f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69",
        "Digest": "sha256:0dbde9c00d906fe47f0f8eee60008d4015d105af53a6f7378594dbdf868c16b2",
        "RepoTags": [
            "docker.io/library/httpd:latest"
        ],
        "RepoDigests": [
            "docker.io/library/httpd@sha256:0dbde9c00d906fe47f0f8eee60008d4015d105af53a6f7378594dbdf868c16b2"
        ],
  ...........<Supressed output>.................
  ...........<Supressed output>.................
            ]
        },
        "Labels": null,
        "Annotations": {}
    }
]

Docker inspect

➜  ~ docker inspect httpd
[
    {
        "Id": "sha256:f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69",
        "RepoTags": [
            "httpd:latest"
        ],
        "RepoDigests": [
            "httpd@sha256:e4c2b93c04762468a6cce6d507d94def02ef4dc285278d0d926e09827f4857db"
        ],
        "Parent": "",
   ...........<Supressed output>.................
  ...........<Supressed output>.................
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

Run image

The docker run command creates a container layer over the specified image using the specified command. There are so many flags we can add to the run command. Please follow this link to get more information about the run command.

In the below example, we use the -d option to run the container in the background. we are also specifying the -p option to specify ports

Podman Run image

$ podman run -d -p 8080:80 docker.io/library/httpd
1ab6d34646e245b857e306cffabce263819622b772d414109a415cd823d7ce86

Docker Run image

➜  ~ docker run -d -p 8080:80 httpd
f98dd3054a446ef8d52712177956413595a7d80cecb9f97ff60926cac31ebadc

Verify container process

We can use the ps command to check the running containers.

Podman ps command

$ podman ps
CONTAINER ID   IMAGE                     COMMAND            CREATED AT                      STATUS             PORTS                                      NAMES
1ab6d34646e2   docker.io/library/httpd   httpd-foreground   2021-05-16 08:13:21 +0000 UTC   Up 7 seconds ago   0.0.0.0:808->80/udp, 0.0.0.0:808->80/tcp   quizzical_perlman

Docker ps command

➜  ~ docker ps
CONTAINER ID   IMAGE     COMMAND              CREATED          STATUS          PORTS                  NAMES
f98dd3054a44   httpd     "httpd-foreground"   20 seconds ago   Up 18 seconds   0.0.0.0:8082->80/tcp   charming_poitras

Verify container output

To verify if the container is running as expected, listen to port 8080 and verify the output.

Access Podman container

$ curl localhost:8080
<html><body><h1>It works!</h1></body></html>

Access Docker container

➜  ~ curl localhost:8080
<html><body><h1>It works!</h1></body></html>

Delete a container

The kill command deletes a running container. To delete a container, specify the container id along with the delete command.

Podman delete a container

$ podman kill 1ab6d34646e2
1ab6d34646e245b857e306cffabce263819622b772d414109a415cd823d7ce86

Docker delete a container

➜  ~ docker kill f98dd3054a44
f98dd3054a44

Remove image

To remove an image from the host VM, run the rmi command. rmi command stands for remove images. If you are getting any errors while removing images, pass -f flag to remove the images forcefully.

Podman remove an image

$ podman rmi -f docker.io/library/httpd
f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69

Docker remove an image

➜ ~ docker rmi -f httpd
Untagged: httpd:latest
Untagged: httpd@sha256:e4c2b93c04762468a6cce6d507d94def02ef4dc285278d0d926e09827f4857db
Deleted: sha256:f3cffeea581b3306a13d80b25a437f73f767b8f27afdb29393b3764b9dfaea69

My opinion on podman vs docker

There is no clear conclusion on whether podman will replace docker or not. I feel both the tools have enough fan base, and both the tools can coexist together. Maybe in the dev/stage server, people will use docker, and in production, they will use podman because it provides more security over docker containers.

Conclusion

I hope you have found this article useful and have learned something. We started with the basics of docker and went deep dive into podman. We also understand the fundamental difference between the two. Finally, We have explored the podman and docker commands. Please do let me know in the comment box.

Happy container exploration:)

More to read

podman rootless

podman commands

Docker complete tutorial

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top