Mike_Kiev - Fotolia
Docker has become the de facto standard for many IT administrators and does have the lion's share of developer interest today. Yet, Podman offers admins some security advantages over basic Docker due to its ability to run as a nonprivileged user and without a daemon.
Docker and Podman both offer many of the same features, such as their support for Open Container Initiative's (OCI) runtime and image specifications, as well as their ability to map commands to create and manage containers. Yet, there are several differences between Docker and Podman, including security concerns and reliance on daemon programs.
Considering Podman does not use a daemon to develop, manage and run OCI containers, it must run on top of a Linux OS. Containers can either be run as root or in rootless mode. Docker utilizes a daemon, which is a persistent background process that handles all container management duties on the host. Docker relies on both a client and server architecture where the daemon fulfills the role of a server while clients communicate via the command-line interface (CLI).
Docker runs just fine using a native Windows daemon to launch either Windows or Linux-based images. Podman requires version 2 of the Windows Subsystem (WSL) for Linux to function properly. As a result, admins must have the May 2020 Windows 10 update to get started with Podman because this was the first release to include WSL2 as a part of the update.
A significant difference between Docker vs. Podman involves security concerns. The Docker daemon requires root privileges, which presents a security challenge when providing root privileges to users. It also means that an improperly configured Docker container could potentially access the host filesystem without restriction. Admins can prevent this by following some basic best practices, such as only using container images from trusted vendors, but the possibility still does exist.
But admins can launch containers as a nonprivileged user with Podman. This provides Podman with an advantage over Docker when it comes to locked down environments. That being said, admins won't be able to execute any commands that require root privileges on the host system as a nonprivileged user. This includes mapping any privileged port numbers below 1024 on the host, as well as the default HTTP port 80.
In addition, both Docker and Podman use a CLI as the primary management interface. Yet, Docker uses a REST API endpoint for communication with the daemon, and older versions use a TCP socket bound to the localhost IP address. This presents a potential attack surface for a cross-site forgery exploit. Docker addressed this vulnerability in version 0.5.2 by introducing a UNIX socket that admins can control with traditional UNIX permissions to restrict access. Considering Podman doesn't rely on a daemon, it's not susceptible to this type of attack.
Kubernetes has become the dominant player when it comes to container orchestration. VMware has adopted Kubernetes as its primary management plane for VMs and everything else connected to running containers. Kubernetes uses the term pod to define a collection of containers that share certain resources. Podman supports this same concept by implementing a pod command to manage multiple containers as a single entity.
Similarly, Docker provides multiple options for container orchestration. Docker Swarm is the native tool maintained by Docker for managing a cluster. Docker also integrates well with Kubernetes, which is the popular choice for most development teams. For Windows deployments, admins have the option to enable Kubernetes during the installation process, which provides full access to the Kubernetes commands right from admins' desktop or laptop.
Taking this one step further, it's possible for admins to build their applications around the continuous integration and deployment model where development and test can happen anywhere based on some simple configuration files. A few additional steps to change the deployment target are all that's required when admins are ready to push a release to production.
Both Podman and Docker conform to OCI standards for images, but Podman is worth checking out for the security features alone. Podman also provides native commands to support the building and testing of pods with an eye toward deploying a production system running Kubernetes.