Why Choose Podman Over Docker? A Deep Dive into Daemonless Containers

Hello everyone, I’m your friend the architect who writes code and poetry.

podman

What is Podman?

Podman is an open‑source container runtime project that works on most Linux platforms. It offers functionality very similar to Docker but does not require any daemon to run on your system and can operate without root privileges.

Podman can manage and run any container or image that complies with the OCI (Open Container Initiative) specifications and provides a Docker‑compatible command‑line front‑end for handling Docker images.

Podman official site: https://podman.io/

What are the main differences between Podman and Docker?

Docker requires a daemon and must run as root, which introduces security risks.

Podman does not need a daemon and can run without root, making its architecture more logical.

Docker’s runtime relies on multiple daemons (dockerd, containerd, containerd‑shim) to reach the OCI implementation runC.

Podman directly calls the OCI runtime (runC) via a helper process called conmon, which is analogous to Docker’s containerd‑shim.

How does using Podman differ from Docker?

From a system builder’s perspective, the default software differs little, but the process model and relationships are different. Users accustomed to Docker’s debugging methods need to adapt to Podman’s process tree, which can be inspected with pstree. Overall, Podman is simpler because it lacks a daemon, resulting in a different restart mechanism.

From a user’s perspective, Podman’s commands are largely compatible with Docker’s, covering container lifecycle (run/start/kill/ps/inspect), local images (images/rmi/build), and image registries (login/pull/push). An alias can be set so that docker maps to podman, allowing seamless substitution while still using Docker.io as the image registry.

Common Podman Commands

Containers

<span>podman run           # create and start a container</span>
<span>podman start         # start a container</span>
<span>podman ps            # list containers</span>
<span>podman stop          # stop a container</span>
<span>podman restart       # restart a container</span>
<span>podman attach        # attach to a container</span>
<span>podman exec          # execute a command in a container</span>
<span>podman export        # export a container</span>
<span>podman import        # import a container snapshot</span>
<span>podman rm            # remove a container</span>
<span>podman logs          # view container logs</span>

Images

<span>podman search        # search images</span>
<span>podman pull          # pull an image</span>
<span>podman images        # list images</span>
<span>podman image ls      # list images (alias)</span>
<span>podman rmi           # remove an image</span>
<span>podman image rm      # remove an image (alias)</span>
<span>podman save          # export an image</span>
<span>podman load          # import an image</span>
<span>podman build         # build an image from a Dockerfile</span>
<span>podmanfile          # custom image instructions (COPY, ADD, CMD, ENV, EXPOSE)</span>

Deploying Podman

<span># install podman</span>
<span># yum -y install podman</span>

Podman Accelerators (Registry Mirrors)

<span># edit /etc/containers/registries.conf</span>
<span>registries = ["docker.io"]</span>
<span>[[docker.io]]</span>
<span>location = "j3m2itm3.mirror.aliyuncs.com"</span>

Using Podman

Running a container:

<span># podman run -d --name httpd docker.io/library/httpd</span>
<span># podman images</span>
<span># podman ps</span>

Inspecting a container’s metadata (including IP address):

<span># podman inspect -l | grep IPAddress</span>

Viewing container logs: <span># podman logs --latest</span> Viewing resource usage with top: <span># podman top httpd</span> Stopping and removing containers:

<span># podman stop --latest</span>
<span># podman rm --latest</span>

Podman also supports additional features beyond Docker compatibility.

Uploading an Image

<span># podman build -t nginx .</span>
<span># podman tag docker.io/library/nginx:latest docker.io/1314444/test:latest</span>
<span># podman login docker.io</span>
<span># podman push docker.io/1314444/test:latest</span>

After pushing, the image can be inspected:

<span># podman inspect 1314444/test:nginx</span>

Configuring User Namespaces and Rootless Operation

<span># yum -y install crun</span>
<span># vi /usr/share/containers/containers.conf</span>
<span># set runtime = "crun"</span>
<span># podman run -d --name web -p 80:80 docker.io/library/nginx</span>
<span># podman inspect web | grep crun</span>

Install slirp4netns and fuse-overlayfs for rootless networking and storage:

<span># yum -y install slirp4netns fuse-overlayfs</span>
<span># vi /etc/containers/storage.conf</span>
<span>driver = "overlay"</span>
<span>mount_program = "/usr/bin/fuse-overlayfs"</span>

Configure UID/GID mappings in /etc/subuid and /etc/subgid for non‑root users, e.g.:

<span># useradd zz</span>
<span># echo "zz:100000:65536" >> /etc/subuid</span>
<span># echo "zz:100000:65536" >> /etc/subgid</span>

Set the ping group range to allow unprivileged users to create containers:

<span># sysctl -w "net.ipv4.ping_group_range=0 200000"</span>

Volumes

When a container runs as root, the container’s root user corresponds to the host’s user. UID/GID mappings defined in /etc/subuid and /etc/subgid determine the first UID/GID for the user namespace. Files created inside a mounted host directory will retain the host user’s ownership.

Example of using a volume with a regular user:

<span># podman run -it -v "$(pwd)"/data:/data docker.io/library/busybox /bin/sh</span>
<span># touch /data/123</span>
<span># exit</span>
<span># ls -l data/123</span>
<span>-rw-r--r-- 1 zz zz 0 Dec 13 00:17 123</span>

To preserve the host user’s ownership inside the container, run with --userns=keep-id:

<span># podman run -it --name test -v "$(pwd)"/data:/data --userns=keep-id docker.io/library/busybox /bin/sh</span>

Rootless users cannot bind privileged ports (<1024) by default. Adjust net.ipv4.ip_unprivileged_port_start in /etc/sysctl.conf to allow lower ports, or use ports ≥1024.

<span># echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf</span>
<span># sysctl -p</span>
<span># podman run -d -p 80:80 httpd</span>

Source: https://blog.csdn.net/qq_48289488/article/details/121905018