Podman: The safe and rootless alternative to Docker

Posted onbyBlockmyIP| Category:Linux Programs

Introduction

In the container ecosystem, Docker has for years been the reference tool. However, the growing concern for safety and the need to execute containers without root privileges have led to the adoption of alternatives. Podman appears as a native Linux solution that offers an almost identical experience to Docker, but with a rootless approach and daemon-less architecture that improves isolation and reduces the attack surface.

What is Podman?

Podman (Pod Manager) is an open container engine that allows you to create, manage and run containers and pods without requiring a centralized demon. Each operation is run as a child process of the user who invokes it, which means that root access is not needed for most tasks. It is designed to be compatible with the OIC (Open Container Initiative) and Docker's images and commands, facilitating migration.

Key differences with Docker

  • daemon-less architecture: Podman does not depend on a background process that runs all operations.
  • default rootless mode: The containers are run with the privileges of the user who launches them.
  • Management of native pods: Podman can create and manage pods similar to Kubernetes, something Docker requires by extension.
  • Command Compatibility: Most of the subcommands ofdockerhave a direct equivalent inpodman(e.g.,podman run, podman build, podman push).

Main characteristics

  • Rotless execution: Improves safety by preventing a committed process from obtaining root privileges.
  • Support for pops: It allows to group several containers that share network and storage namespaces.
  • Image management: It works with image records compatible with Docker Hub, Quay, etc., and allows to save images in OIC format.
  • Systemd integration: Containers can be managed as systems services bypodman generate systemd.
  • Buildah integration: Although Podman focuses on execution, his brother Buildah project is in charge of building images without the need for a daemon.

Installation and first steps

In most modern Linux distributions, Podman is available in official repositories. For example, in Fedora:

sudo dnf install - and podman

In Ubuntu 22.04 or more:

sudo apt-get updatesudo apt-get install - and podman

Once installed, check the version:

podman --version

Run a test container without root privileges:

podman run --rm -it docker.io / library / hello-world

This command download the imagehello-worldand runs it in an isolated environment, showing the typical welcome message.

Typical cases of use

  • Local Development: Developers can run containers at their workstations without adding their user to the groupdocker, avoiding risks of scalated privilege.
  • CI / CD pipelines: Many continuous integration systems (GitLab CI, GitHub Actions, Jenkins) support Podman as runner, taking advantage of their rootless mode to improve security in shared environments.
  • Edge computing and IoT: Due to its low resource consumption and the absence of a demon, Podman is ideal for devices with limitations where it is required to run containers safely.
  • Docker's workload migration: Thanks to the compatibility of commands and image format, just changedockerbypodmanin scripts and configuration files to get a smooth transition.

Safety benefits

By running containers without root privileges, Podman significantly reduces the impact of a possible vulnerability within the container. Even if an attacker manages to escape the namespace of the container, it is still limited by the permissions of the user who launched the process. In addition, by not requiring a demon with high privileges, a central point of failure that has historically been attacked is removed.

Community and ecosystem

Podman is sponsored by Red Hat and is part of the projectcontainersin GitHub, receiving contributions from developers around the world. Its compatibility with the OIC ensures that the images built with Podman can be run in any environment that supports the standard, including Kubernetes (bycri-oorcri-containerd) and public cloud platforms. Official documentation, tutorials and active forums facilitate adoption for both beginners and advanced professionals.

Conclusion

Podman represents a natural evolution in Linux container management: it maintains the familiarity of Docker's interface while introducing significant improvements in security and architecture. Its rootless and daemon-less approach makes it an attractive option for DevOps developers, system managers and equipment that seek to reduce the attack surface without sacrificing productivity. If you have not yet tried it, install Podman and run your first container is a simple step towards a safer and more flexible container environment.

This work is under aCreative Commons License Attribution 4.0 International for Francesc Roig francesc @ vivaldi.net.

EnglishenEnglishEnglish
SpanishesSpanishEspañolEnglishenEnglishEnglish