Overview
Podman (short for pod manager) is an open source tool for developing, managing, and running containers. Developed by Red Hat® engineers along with the open source community, Podman manages the entire container ecosystem using the libpod library.
Podman’s daemonless and inclusive architecture makes it an accessible, security-focused option for container management. Its accompanying tools and features, such as Buildah and Skopeo, let developers customize their container environments to suit their needs. Developers can also take advantage of Podman Desktop, a graphical user interface (GUI) for using Podman in local environments.
Users can run Podman on various Linux® distributions, such as Red Hat Enterprise Linux, Fedora, CentOS, and Ubuntu.
What are pods?
Pods are groups of containers that run together and share the same resources, similar to Kubernetes pods. Podman manages these pods via a simple command-line interface (CLI) and the libpod library, which provides application programming interfaces (APIs) for managing containers, pods, container images, and volumes. Podman's CLI creates and supports Open Container Initiative (OCI) containers, which are designed to meet industry standards for container runtimes and formats. More advanced building capabilities are available in the related project, Buildah.
Each pod is composed of 1 infra container and any number of regular containers. The infra container keeps the pod running and maintains user namespaces, which isolate containers from the host. The other containers each have a monitor to keep track of their processes and look out for dead containers―nonfunctioning containers that can’t be taken out of the environment because some of their resources are still being used.
What makes Podman different from other container engines?
Podman stands out from other container engines because it’s daemonless, meaning it doesn't rely on a process with root privileges to run containers.
Daemons are processes that run in the background of your system to do the work of running containers without a user interface. Think of daemons as the intermediary communicating between the user and the container itself.
While daemons can be a convenient way to manage your container environment, they can also introduce security vulnerabilities. Many daemons run with root privileges. In Linux systems, the root account acts as a superuser with administrative access (while bypassing the need for admin verification) to read files, install programs, edit applications, and more. This makes daemons an ideal target for hackers who want to gain control of your containers and infiltrate the host system.
Podman cuts out the daemon and lets regular users run containers without interacting with a root-owned daemon, or allows for the use of rootless containers. By going rootless, users can create, run, and manage containers without requiring processes with admin privileges, making your container environment more accessible while reducing security risks. Additionally, Podman launches each container with a Security-Enhanced Linux (SELinux) label, giving administrators more control over what resources and capabilities are provided to container processes.
How does Podman manage containers?
Users can invoke Podman from the command line to pull containers from a repository and run them. Podman calls the configured container runtime to create the running container. But without a dedicated daemon, Podman uses systemd—a system and service manager for Linux operating systems—to make updates and keep containers running in the background. By integrating systemd and Podman, you can generate control units for your containers and run them with systemd automatically enabled.
Users can control the automatic starting and managing of their containers through their own repositories on the system or using systemd units. Allowing users to manage their own resources, and running containers rootlessly, can remove the temptation to add privileges like write access to areas of the system that shouldn’t have them. This also ensures that every user has separate sets of containers and images and can use Podman concurrently on the same host without interfering with each other. When users finish their work, they can push changes to a common registry to share their image with others.
Podman also deploys a RESTful API (REST API) to manage containers. REST stands for representational state transfer. A REST API is an API that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services. With the REST API, you can call Podman from platforms such as cURL, Postman, Google's Advanced REST client, and many others.
What is Podman Desktop?
Podman Desktop is a GUI for Podman, which provides a central place for developers to work with containers right on their laptop or workstation. Developers can build, push, and pull images and manage Podman resources directly using a GUI that’s consistent across local Linux, Windows, and macOS environments. Podman Desktop also lets developers deliver ready-to-deploy containerized applications to Kubernetes environments.
Podman Desktop supports extension packs, which open up additional capabilities. One example, Podman AI Lab, adds recipes for building applications that work with large language models (LLMs) in a local environment and includes a curated catalog of open source-licensed LLMs. Another example is the Red Hat extension pack for Podman Desktop, which helps developers work with specific Red Hat technologies such as Red Hat OpenShift®.
Podman, Buildah, and Skopeo
Podman is a modular container engine, so it must work alongside tools like Buildah and Skopeo to build and move its containers. With Buildah, you can build containers either from scratch or by using an image as a starting point. Skopeo moves container images between different types of storage systems, allowing you to copy images between registries like docker.io, quay.io, and your internal registry or between different types of storage on your local system. This modular approach to containerization results in a flexible, lightweight environment by reducing overhead and isolating the features you need. Working with containers makes it possible to use smaller, more modular tools that can focus on a single purpose and be updated as often as needed.
Think of Podman, Buildah, and Skopeo as a set of specialized Swiss Army knives. Combined, they can satisfy almost all container use cases. Podman is the biggest of these knives.
Podman and Buildah use runC―the OCI runtime―by default to launch containers. You can use runC to build and run an image, or you can use it to run Docker-formatted images. This Go language-based tool reads a runtime specification, configures the Linux kernel, and eventually creates and starts container processes. With some configuration changes, you can also use Podman with other footprints like crun.
Podman vs. Docker
Docker is a containerization technology that allows the creation and use of Linux containers. The main difference between Podman and Docker is Podman’s daemonless architecture. Podman containers have always been rootless, while Docker only recently added a rootless mode to its daemon configuration. Docker is an all-in-1 tool for container creation and management, whereas Podman and its associated tools like Buildah and Skopeo are more specialized for specific aspects of containerization. This makes it possible to customize your environments with only the tools you need.
Podman is a powerful alternative to Docker, but the 2 can also work together. Users can easily switch between them by aliasing Docker to Podman (alias docker=podman) and vice versa. Additionally, an rpm called podman-docker can drop a “docker” into the system application path, which calls Podman for those environments where the “docker” command is needed, easing the transition from Docker. Podman’s CLI is similar to Docker’s, so users who are familiar with one are likely to have success with the other.
Some developers combine Podman and Docker, using Docker during the development stage and transferring their program to Podman in runtime environments.
Podman is best suited for developers running containers without Kubernetes or Red Hat OpenShift Container Platform. For Kubernetes container orchestration, developers can use the open source, community-driven container engine CRI-O.
Why Podman?
Podman changed the container landscape by offering the same high-performance capabilities as leading container engines, but with the flexibility, accessibility, and security features that many development teams are seeking. Podman can help you:
- Manage container images and the full container lifecycle, including running, networking, checkpointing, and removing containers.
- Run and isolate resources for rootless containers and pods.
- Support OCI and Docker images as well as a Docker-compatible CLI.
- Create a daemonless environment to improve security and reduce idle resource consumption.
- Deploy a REST API to support Podman’s advanced functionality.
- Implement checkpoint/restore functionality for Linux containers with Checkpoint/Restore in Userspace (CRIU). CRIU can freeze a running container and save its memory contents and state to disk so that containerized workloads can be restarted faster.
- Automatically update containers. Podman detects if an updated container fails to start and automatically rolls back to the last working version. This provides new levels of reliability for applications.
Red Hat can help
Podman is included with a Red Hat Enterprise Linux subscription so you can run OCI-compliant containers that are built using a trusted, supportable, and reliable universal base image (UBI). Red Hat Enterprise Linux is a standard for running Linux containers in enterprise environments. It allows developers to easily spin up containers, manage deployment, and speed development of new applications. Upgrading your Red Hat Enterprise Linux infrastructure ensures that you're ready to take full advantage of these benefits. With portable applications and containers built on Red Hat Enterprise Linux across open hybrid cloud environments, your organization can remain agile and continue to transform as your goals evolve.
The Red Hat Enterprise Linux web console simplifies the deployment and daily administration of your systems with an easy-to-use web interface. Podman is available as a component of the web console to help you manage containers and images. Monitor how much CPU and memory your containers use by accessing container hosts and monitoring system loads in the web console’s dashboard. The web console also lets you simplify common tasks and complex operations to streamline container management.
By using Ansible Playbooks, Red Hat Ansible® Automation Platform allows you to automate Podman functions like installation, container deployment, and other tasks that frequently consume time and resources.
Podman, Podman Desktop, and other open standards-based container tools make Red Hat Enterprise Linux a powerful container host that delivers production-grade support, stability, and security features as well as a path forward to Kubernetes and Red Hat OpenShift.