Why Choose Podman Over Docker? A Complete Guide to Daemonless Containers

Podman is an open‑source container runtime that runs on most Linux platforms and provides Docker‑compatible functionality without requiring a daemon or root privileges.

It can manage any OCI‑compliant container or image and offers a Docker‑compatible command‑line interface.

Official site: https://podman.io/

Key Differences Between Podman and Docker

Docker requires a daemon (dockerd) that runs as root, creating security risks.

Podman runs without a daemon and does not need root, making its architecture simpler.

Docker’s runtime chain involves dockerd → containerd → containerd‑shim → runC.

Podman calls the OCI runtime (runC) directly via conmon, eliminating the need for dockerd.

In Podman, conmon functions similarly to Docker’s containerd‑shim.

Usage Differences

Podman aims for Docker compatibility, so most commands are similar. System builders notice differences in process models and debugging methods, while end users can alias Docker to Podman for seamless transition.

Container Commands

podman run           Create and start a container
podman start         Start a container
podman ps            List containers
podman stop          Stop a container
podman restart       Restart a container
podman attach        Attach to a container
podman exec          Execute a command in a container
podman export        Export a container
podman import        Import a container snapshot
podman rm            Remove a container
podman logs          View container logs

Image Commands

podman search        Search for images
podman pull          Pull an image
podman images        List images
podman image ls      List images (alias)
podman rmi          Remove an image
podman image rm      Remove an image (alias)
podman save          Export an image
podman load          Import an image
podman build         Build an image from a Dockerfile
podmanfile          Common Dockerfile instructions (COPY, ADD, CMD, ENV, EXPOSE)

Installing Podman

# yum -y install podman

Configuring Registries (Accelerators)

# Version 7
vim /etc/containers/registries.conf
registries = ["docker.io"]
[[docker.io]]
location = "j3m2itm3.mirror.aliyuncs.com"

# Version 8
unqualified-search-registries = ["docker.io"]
[[registry]]
prefix = "docker.io"
location = "j3m2itm3.mirror.aliyuncs.com"

Basic Podman Operations

# Run a container
podman run -d --name httpd docker.io/library/httpd

# List running containers
podman ps

# Inspect the latest container
podman inspect -l | grep IPAddress

# View logs of the latest container
podman logs --latest

# Show processes inside a container
podman top httpd

# Stop the latest container
podman stop --latest

# Remove the latest container
podman rm --latest

Building and Pushing an Image

# Build image
podman build -t nginx .

# Tag image for Docker Hub
podman tag docker.io/library/nginx:latest docker.io/1314444/test:latest

# Login to Docker Hub
podman login docker.io
Username: 1314444
Password: ********
Login Succeeded!

# Push image
podman push docker.io/1314444/test:latest

Alias for Docker Compatibility

# Add alias
echo "alias docker=podman" >> ~/.bashrc
source ~/.bashrc

Rootless Operation and cgroup v2

# Install crun (OCI runtime supporting cgroup v2)
yum -y install crun

# Edit containers.conf to use crun
vi /usr/share/containers/containers.conf
# Uncomment and set runtime = "crun"

Installing slirp4netns and fuse‑overlayfs

# Install networking and overlay tools
yum -y install slirp4netns
yum -y install fuse-overlayfs

# Enable fuse‑overlayfs in storage.conf
vi /etc/containers/storage.conf
mount_program = "/usr/bin/fuse-overlayfs"

Subuid/Subgid Configuration for Rootless Users

# Install shadow-utils to manage subuid/subgid
yum -y install shadow-utils

# Add a user and view mappings
useradd zz
cat /etc/subuid   # zz:100000:65536
cat /etc/subgid   # zz:100000:65536

# Extend ranges if needed
usermod --add-subuids 200000-201000 --add-subgids 200000-201000 hh

Key Configuration Files

The main files are containers.conf, storage.conf, and registries.conf. They are read in order from system directories, user home, and then ~/.config/containers, with later files overriding earlier ones.

Authentication File

# Login stores credentials in /run/user/0/containers/auth.json
{
  "auths": {
    "registry.fedoraproject.org": {
      "auth": "MTMxNDQ0NDpIMjAxNy0xOA=="
    }
  }
}

Volumes

When a container runs as root, files created inside the container are owned by root on the host. UID/GID mappings from /etc/subuid and /etc/subgid determine ownership for rootless containers.

# Create and use a volume as a regular user
su - zz
mkdir ~/data
podman run -it -v "$(pwd)"/data:/data docker.io/library/busybox /bin/sh
# Inside container
cd /data
touch 123
# Outside container
cat ~/data/123

Port Mapping Restrictions

Rootless users cannot bind privileged ports (<1024) by default. To allow binding to port 80, add net.ipv4.ip_unprivileged_port_start=80 to /etc/sysctl.conf and reload sysctl.

# Allow privileged ports for rootless users
echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf
sysctl -p
# Now you can map port 80
podman run -d -p 80:80 httpd

In summary, Podman provides a daemon‑less, rootless, Docker‑compatible environment for building, running, and sharing containers, with extensive configuration options for registries, storage, and user namespaces, making it a powerful tool for modern cloud‑native workflows.