Translated from Paul Ferrill's article "Compare Docker vs. Podman for container management" on September 1, 2020 1
Docker and Podman provide similar functions for managing containers, but Docker's security vulnerabilities may make Podman more attractive to some administrators.
At present, Docker has become the de facto standard for many IT administrators, and occupies a large share of developers. However, because Podman has the ability to run as an unprivileged user and does not require a daemon, it provides some security advantages for administrators compared to basic Docker.
Both Docker and Podman provide many of the same features, for example, their support for the Open Container Initiative (OCI) 2 runtime and image specifications, and their ability to map commands to create and manage containers. However, there are some differences between Docker and Podman, including security issues and reliance on daemons. 3
Considering that Podman does not use daemons to develop, manage and run OCI containers, it must run on Linux OS. The container can be run in root mode or in non-root mode. Docker uses a daemon (the daemon is a persistent background process) to handle the management responsibilities of all containers on the host. Docker relies on the client/server (C/S) architecture, the daemon plays the role of the server, and the client communicates through the command line interface (CLI).
Docker uses the native Windows daemon to run Windows or Linux-based images well. Podman requires Windows Subsystem for Linux version 2 (WSL2) to run properly. Therefore, administrators must have the Windows 10 update after May 2020 to start using Podman, because this is the first release to include WSL2 as part of the update.
Safety
One major difference between Docker and Podman involves security issues . The Docker daemon requires root privileges, which poses a security challenge when providing root privileges to users. This also means that improperly configured Docker containers can have unlimited access to the host file system. Administrators can prevent this from happening by following some basic best practices, such as only using container images from trusted vendors, but this possibility still exists.
However, administrators can use Podman to start the container as an unprivileged user. This gives Podman an advantage over Docker in locked-down environment scenarios. Having said that, administrators will not be able to execute any commands that require root privileges on the host system as an unprivileged user. This includes any privileged port number lower than 1024 on the mapped host, and the default HTTP port number 80.
In addition, Docker and Podman both use CLI as the main management interface. However, Docker uses the REST API terminal to communicate with the daemon, and older versions use TCP sockets bound to the local IP address for communication. This provides a potential attack surface for cross-site forgery and exploitation . Docker solved this vulnerability by introducing UNIX socket in version 0.5.2 (administrators can use traditional UNIX permissions to control to restrict access). Considering that Podman does not rely on daemons, it is not vulnerable to such attacks.
Container Orchestration
In terms of container orchestration, Kubernetes has become a dominant player. VMware has adopted Kubernetes as the main management platform for VMs and all other devices connected to running containers. Kubernetes uses the term pod to define a collection of containers that share certain resources. Podman supports the same concept by implementing pod commands to manage multiple containers as one entity.
Similarly, Docker provides multiple options for container orchestration. Docker Swarm is a local tool for managing clusters maintained by Docker. Docker also integrates well with Kubernetes, which is the mainstream choice for most development teams. For Windows deployment, administrators can choose to enable Kubernetes during the installation process, so that Kubernetes commands can be directly accessed from the administrator's desktop or laptop.
Furthermore, administrators can build their applications around a continuous integration and continuous deployment (CI/CD) model, in which development and testing can be done anywhere based on some simple configuration files. When the administrator is ready to push the release to the production environment, only a few additional steps are required to change the deployment target.
Both Podman and Docker conform to the OCI image standard, but only in terms of security features, Podman is worth a try . Podman also provides local commands to support pod construction and testing, focusing on deployment to a production system running Kubernetes.
Author: Paul Ferrill
Translator: Technical Zemin
Publisher: Technical Verses
links: English text
https://searchservervirtualization.techtarget.com/tip/Compare-Docker-vs-Podman-for-container-management Compare Docker vs. Podman for container management ↩︎
https://www.cnblogs.com/ittranslator/p/14057822.html Docker Vs Podman ↩︎