Podman (the POD manager) is an open source tool for developing, managing, and running containers on your Linux® systems. Originally developed by Red Hat® engineers along with the open source community, Podman manages the entire container ecosystem using the libpod library.
Podman’s daemonless and inclusive architecture makes it a more secure and accessible option for container management, and its accompanying tools and features, such as Buildah and Skopeo, allow developers to customize their container environments to best suit their needs.
Pods are groups of containers that run together and share the same resources, similar to Kubernetes pods. Podman manages these pods via a simple command line interface (CLI) and the libpod library, which provides APIs for managing containers, pods, container images, and volumes. Podman's CLI creates and supports Open Container Initiative (OCI) containers, which are designed to meet industry standards for container runtimes and formats, though more advanced building capabilities are available in the complementary project, Buildah. Users can run Podman on various Linux distributions, such as Red Hat Enterprise Linux, Fedora, CentOs, and Ubuntu.
Each pod is composed of one infra-container and any number of regular containers. The infra container keeps the pod running and maintains user namespaces, which isolate containers from the host. The other containers each have a monitor to keep track of their processes and look out for dead containers –– non-functioning containers that cannot be taken out of the environment because some of their resources are still being used.
Podman stands out from other container engines because it is daemonless. Daemons are processes that run in the background of your system to do the heavy lifting of running containers without a user interface. Think of daemons as the intermediary communicating between the user and the container itself.
While daemons can be a convenient way to manage your container environment, they can also introduce security vulnerabilities. Many daemons run with root privileges. In Linux systems, the root account acts as a superuser with administrative access (while also bypassing the need for admin verification) to read files, install programs, edit applications, and more. This makes daemons an ideal target for hackers who want to gain control of your containers and infiltrate the host system.
Podman cuts out the daemon and allows regular users to run containers without interacting with a root-owned daemon, or allows for the use of rootless containers. By going rootless, users can create, run, and manage containers without requiring processes with admin privileges, making your container environment more accessible while reducing security risks. Additionally, Podman launches each container with a security-enhanced linux (SELinux) label, giving administrators more control over what resources and capabilities are provided to container processes.
Users can invoke Podman from the command line to pull containers from a repository and run them. Podman calls the configured container runtime to create the running container. But without a dedicated daemon, Podman uses systemd — a system and service manager for Linux operating systems — to make updates and keep containers running in the background. By integrating systemd and Podman, you can generate control units for your containers and run them with systemd automatically enabled.
Users can manage their own repositories on the system, as well as systemd units to control the automatic starting and management of their own containers. Allowing users to manage their own resources, and their containers running rootlessly, discourages poor practices like making /var/lib/containers world writable or other system management practices that may expose applications to additional security issues. This also ensures that every user has separate sets of containers and images and can use Podman concurrently on the same host without interfering with each other. When users are finished with their work, they can push changes to a common registry to share their image with others.
Podman also deploys a RESTful API (REST API) to manage containers. REST stands for REpresentational State Transfer. A REST API is an application programming interface that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services. With the REST API, you can call Podman from platforms such as cURL, Postman, Google's Advanced REST client, and many others.
Podman is a modular container engine, so it must work alongside tools like Buildah and Skopeo to build and move its containers. With Buildah, you can build containers either from scratch or by using an image as a starting point. Skopeo moves container images between different types of storage systems, allowing you to copy images between registries like docker.io, quay.io, and your internal registry or different types of storage on your local system. This modular approach to containerization results in a flexible, lightweight environment by reducing overhead and isolating the features you need to achieve your goals. Smaller, more modular tools also can be evolved more quickly, and each tool can focus on a single purpose.
Think of Podman, Buildah and Skopeo as a set of specialized Swiss Army knives that combined can meet pretty much all container use cases. Podman is the biggest of these knives.
Podman and Buildah use runC, the OCI runtime, by default to launch containers. You can build and run an image, or you can run docker-formatted images with runC. This Go language-based tool reads a runtime specification, configures the Linux kernel, and eventually creates and starts container processes. With some configuration changes, you can also use Podman with other footprints like crun.
Docker is a containerization technology that enables the creation and use of Linux containers. The main difference between Podman and Docker is Podman’s daemonless architecture. Podman containers have always been rootless, while Docker just recently added a rootless mode to its daemon configuration. Docker is an all-in-one tool for container creation and management, whereas Podman and its associated tools like Buildah and Skopeo are more specialized for specific aspects of containerization, allowing you to customize according to what you need in your cloud-native applications.
Podman is a powerful alternative to Docker, but the two can also work together. Users can easily switch between them by aliasing Docker to Podman (alias docker=podman) and vice versa. Additionally, an rpm called podman-docker can drop a 'docker' into the system application PATH, which calls Podman for those environments where the 'docker' command is needed, easing the transition from Docker. Podman’s CLI is similar to the Docker Container Engine, and users who are familiar with one are likely to have success with the other.
Some developers leverage Podman and Docker together by using Docker during the development stage and transferring their program to Podman in runtime environments to benefit from its heightened security.
Podman is best suited for developers running containers without Kubernetes or OpenShift Container Platform. CRI-O is an open source, community-driven container engine for Kubernetes container orchestration, such as Red Hat OpenShift® Container Platform.
Podman changed the container landscape by offering the same high-performance capabilities as leading container engines but with the flexibility, accessibility, and enhanced security that many development teams today are seeking. Podman can help you:
- Manage container images and the full container lifecycle, including running, networking, checkpointing, and removal.
- Run and isolate resources for rootless containers and pods.
- Support OCI and Docker images as well as a Docker-compatible CLI.
- Create a daemonless environment, improving security and reducing idle resource consumption.
- Deploy a REST API to support Podman’s advanced functionality.
- Implement checkpoint/restore functionality for Linux containers with checkpoint/restore in userspace (CRIU). CRIU can freeze a running container and save its memory contents and state to disk so that containerized workloads can be restarted faster.
- Automatically update containers. Podman detects if an updated container fails to start and automatically rolls back to the last working version. This provides new levels of reliability for applications.
Podman is included with a Red Hat Enterprise Linux subscription so you can run OCI-compliant containers that are built using a trusted, supportable, and reliable universal base image (UBI). Red Hat Enterprise Linux is a standard for running Linux containers in enterprise environments and allows developers to easily spin up containers, manage deployment, and speed development of new applications. With portable applications and containers built on Red Hat Enterprise Linux across the open hybrid cloud, you can remain agile and meet your transformation goals as they evolve.
By using Ansible Playbooks, Red Hat Ansible® Automation Platform allows you to automate Podman functions like installation, container deployment, and other tasks that frequently consume time and resources.
Podman and other open standards-based container tools make Red Hat Enterprise Linux a powerful container host that delivers production-grade support, stability, and security features as well as a path forward to Kubernetes and Red Hat OpenShift.