cyber-security-resources/docker-and-k8s-security/podman_vs_docker.md
2022-06-08 10:02:50 -04:00

1.4 KiB

Podman vs Docker

  • Docker uses a daemon, an ongoing program running in the background, to create images and run containers.
  • Podman has a daemon-less architecture which means it can run containers under the user starting the container.
  • Docker has a client-server logic mediated by a daemon; Podman does not need the mediator.
  • Podman allows for non-root privileges for containers.
  • Rootless containers are considered safer than containers with root privileges

Podman Rootless?

  • Containers in Podman do not have root access by default, adding a natural barrier between root and rootless levels, improving security.
  • Still, Podman can run both root and rootless containers.

What about Systemd?

  • Without a daemon, Podman needs another tool to manage services and support running containers in the background.
  • Systemd creates control units for existing containers or to generate new ones.
  • Systemd can also be integrated with Podman allowing it to run containers with systemd enabled by default, without any modification.
  • By using systemd, vendors can install, run, and manage their applications as containers since most are now exclusively packaged and delivered this way.

Building images

  • As a self-sufficient tool, Docker can build container images on its own. 
  • Podman requires the assistance of another tool called Buildah, which expresses its specialized nature: it is made for running but not building containers on its own.