I have always been interested in Podman as a rootless alternative to Docker, and yes, I know that Docker can achieve rootless containers, but the daemon/engine is a single point of failure to my understanding. I run mostly RHEL based systems, and SELinux does not like Docker. I have been able to make Docker work with SELinux enforcing, but it is always a pain and I am still wrapping my head around SELinux.
That is not the main reason I chose to switch; Docker updated to v29.0.0, and it broke several of my containers that rely on the Docker API. I do not use watchtower, but I will link to a bug report that details the issues with the API version detection. I have some containers running in Podman, and they haven’t had an issue since I spun them up, so I decided to take a deeper look into the advantages of Podman.
Since my deep dive into Podman, my favorite advantage is the incredible integration with systemd. Instead of docker compose files, automatic startup scripts, and update scripts; you can manage your Podman containers through systemd units and container files. You can create an example-application.container file which looks almost exactly like a systemd .service unit file, but it has a [Container] context where you define everything that your docker run command or docker compose file would typically encompass. You can do more though! Podman has an auto-update.timer that I have not looked super deep into, but once I get that running, it will hopefully decrease the dependence on custom cron jobs and scripts that I write or the need to run an additional container to that updates my existing containers (a.k.a. watchtower). You can set these containers to start at boot using systemd; you just edit the example-application.container file and in the [Install] context add WantedBy=multi-user.target, reload your systemd daemon, enable lingering on your user account, finally enable it like a regular systemd service after one is generated by systemd:
systemctl --user enable --now example-application.service
I love a command that doesn’t require sudo. That brings me to another advantage of Podman; it was built from the ground up to be a rootless service, and it operates on a fork-exec system call model. Podman is designed to essentially ‘clone’ itself as a user’s process so that the user can interact with the container directly instead of needing to interact with an daemon which is running as root. This generally means you don’t need to play around with permissions or run commands as root. Podman being built for Red Hat systems also means the SELinux management can be done easily through Podman. I have spent may hours looking through /var/log/audit and praying that my issues are resolved after a simple auto relabel. It has been very difficult to get a bind mount on an external partition working with SELinux enforcing inside of Docker. Lots of SELinux contexts need to be edited. This process is much simpler in Podman. Make sure you have proper directory permissions on your bind mount and when mounting the volume to your container simply add the SELinux flag (:z or :Z) to the end of your bind mount:
[Container]
Volumes=/mnt/drive02/example-application/config:/config:Z
or
[Container]
Volumes=/mnt/drive02/example-application/data:/data:z
Little z tells SELinux that this directory can be accessed by other containers while the big Z tells SELinux to restrict access to this specific container.
Lastly, other users report that SELinux is generally more stable than Docker which has been the case in my limited experience. I can keep this post updated about the validity of this.
Sources:
https://www.redhat.com/en/topics/containers/what-is-podman
https://www.man7.org/linux/man-pages/man1/systemd.1.html
https://docs.podman.io/en/latest/markdown/podman-run.1.html
https://en.wikipedia.org/wiki/Security-Enhanced_Linux
https://www.youtube.com/watch?v=5WML8gX2F1c
Thank you to the developers, maintainers, server hosters, documentation owners, and all who are involved in all these open-source projects. I am truly grateful for these projects allowing me the opportunity to study how these applications operate, and I am also thankful for the services they provide at no cost.
If I got anything wrong or missed anything, please feel free to reach out to me, and I will add an update to this post. I am always looking for chances to improve and sharpen my knowledge.
Signing off,