Lead Image © sandrobrezger, photocase.com
Managing containers with Podman
Same but Different
When talk turns to containers, most people almost automatically think of the well-known Docker engine. For some time now, however, Podman [1] has been a serious alternative. The project was developed together with CRI-O, an implementation of the Kubernetes Container Runtime Interface (CRI). Podman is not limited to use within a Kubernetes environment, however; you also can use it to run individual containers, and you can even adopt the concept of pods, independent of Kubernetes.
Look Ma, No Daemon
Although the Podman developers have made sure that the Podman command-line tool is almost identical to Docker's, the two container engines are fundamentally different in terms of architecture. Everything in the Docker world is based on the client-server principle, whereas Podman relies on the fork-exec model. When Docker starts a new container with the docker command, the instructions are sent to a daemon running in the background, which in turn forwards the command to start the container with containerd, another Docker framework daemon. Podman, on the other hand, does completely without daemons, creating all containers as child processes of the Podman process.
UID-Based Activity Assignments
Thanks to the Podman architecture, the Linux kernel's audit subsystem can uniquely associate activities taking place inside a container with the user who started the container. As you know, every user who logs on to a system is assigned a unique user identifier (UID) that can be read from the /proc/self/loginuid file:
cat /proc/self/loginuid 1000
The login UID does not change, even if processes are started under a different ID. For example, the following command calls the file as root, but the user's login UID does not
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Integrating Podman and systemd
With the integration of Podman and systemd, you can put any software inside a container under the control of systemd and see almost no difference between running the service directly on the host or inside a container. -
Run rootless Podman containers as systemd services
Running rootless containers is easy with Podman. With Podman Quadlet files, these containers are seamlessly integrated into systemd services. -
OCI containers with Podman
The Podman alternative to Docker is a daemonless container engine with a run time that executes on request in root or user mode. -
Docker and Podman environments on Windows and Mac machines
Develop container applications on a Windows or Mac system with Docker Desktop or Podman. -
Podman for Non-Root Docker
Podman is the best non-root Docker tool I’ve found. Let me show you why.