Podman
DevOps Tool
Podman
Overview
Podman is a daemonless container engine developed by Red Hat. It maintains Docker compatibility while improving security and operability through rootless execution and SystemdPods features.
Details
Podman (Pod Manager) is an open-source container engine developed by Red Hat. Named from the initials of "Pod," "Image," and "Container" management, it was designed as a Docker alternative. Its key feature is rootless container execution and daemonless architecture. Unlike traditional Docker, which requires a daemon process running with root privileges, Podman executes each container as an independent process, significantly reducing security risks. It maintains OCI (Open Container Initiative) compliance and compatibility with existing container registries like Docker Hub. Podman enables local use of Kubernetes Pod concepts and simplifies service management through systemd integration. Adopted as default in Red Hat Enterprise Linux (RHEL) 8 and later, it's also available in CentOS Stream and Fedora. It's gaining attention in enterprise environments with strict security requirements and as a migration destination from Docker, particularly expanding within the Red Hat ecosystem.
Advantages and Disadvantages
Advantages
- Security: Rootless execution and daemonless architecture
- Docker compatibility: Can use existing Docker commands and images
- systemd integration: Simplified service management and process monitoring
- Pod support: Local implementation of Kubernetes Pod concept
- Lightweight: Lightweight operation without daemon processes
- Enterprise-ready: Red Hat support and enterprise quality
- Multi-architecture: x86_64, ARM64, s390x support
- OCI compliant: Full compliance with standardized container specifications
Disadvantages
- Learning curve: Some learning required even for Docker experienced users
- Ecosystem: Not as rich tool ecosystem as Docker
- Performance: May be slightly inferior to Docker in some workloads
- Windows/macOS: Limited native support
- GUI: No integrated GUI equivalent to Docker Desktop
- Debugging: Less troubleshooting information due to being newer tool
- Platform dependency: Linux environment prerequisite
- Migration cost: Migration work from existing Docker environments
Key Links
- Podman Official Website
- Podman Official Documentation
- Podman GitHub Repository
- Red Hat Container Tools
- Podman Desktop
- Podman Tutorials
Code Examples
Basic Container Operations
# Docker-compatible commands
podman run hello-world
podman pull nginx:alpine
podman images
podman ps
podman ps -a
# Container execution (secure with rootless)
podman run -d --name web-server -p 8080:80 nginx:alpine
podman logs web-server
podman exec -it web-server sh
podman stop web-server
podman rm web-server
Pod Creation and Management
# Create Pod (Kubernetes-style)
podman pod create --name mypod --publish 8080:80
# Add containers to Pod
podman run -dt --pod mypod --name web nginx:alpine
podman run -dt --pod mypod --name cache redis:alpine
# Pod operations
podman pod list
podman pod ps mypod
podman pod stop mypod
podman pod start mypod
podman pod rm mypod
Kubernetes YAML Generation
# Create Pod for YAML generation
podman pod create --name webapp --publish 3000:3000
podman run -dt --pod webapp --name app nodejs:16-alpine
podman run -dt --pod webapp --name db postgres:13
# Export in Kubernetes format
podman generate kube webapp > webapp-pod.yaml
# Generated YAML example
cat webapp-pod.yaml
# webapp-pod.yaml (generated example)
apiVersion: v1
kind: Pod
metadata:
name: webapp
spec:
containers:
- name: app
image: docker.io/library/nodejs:16-alpine
ports:
- containerPort: 3000
hostPort: 3000
- name: db
image: docker.io/library/postgres:13
env:
- name: POSTGRES_PASSWORD
value: password
systemd Integration
# Register as user service
podman run -d --name web-service nginx:alpine
podman generate systemd --new --files --name web-service
# Place service file in appropriate location
mkdir -p ~/.config/systemd/user
mv container-web-service.service ~/.config/systemd/user/
# Manage with systemd
systemctl --user daemon-reload
systemctl --user enable container-web-service.service
systemctl --user start container-web-service.service
systemctl --user status container-web-service.service
Podman Compose (docker-compose.yml compatible)
# compose.yaml
version: '3'
services:
web:
image: nginx:alpine
ports:
- "8080:80"
volumes:
- ./html:/usr/share/nginx/html
depends_on:
- app
app:
image: node:16-alpine
working_dir: /app
volumes:
- .:/app
command: npm start
environment:
- NODE_ENV=production
db:
image: postgres:13
environment:
POSTGRES_DB: myapp
POSTGRES_USER: user
POSTGRES_PASSWORD: password
volumes:
- pgdata:/var/lib/postgresql/data
volumes:
pgdata:
# Execute with Podman Compose
podman-compose up -d
podman-compose ps
podman-compose logs
podman-compose down
Rootless Container Security Configuration
# Check user namespace
podman unshare id
podman unshare cat /proc/self/uid_map
# Execute with security settings
podman run --security-opt no-new-privileges \
--cap-drop ALL \
--cap-add NET_BIND_SERVICE \
--read-only \
--tmpfs /tmp \
nginx:alpine
# SELinux support
podman run --security-opt label=type:container_runtime_t \
nginx:alpine
Advanced Network Configuration
# Create custom network
podman network create mynetwork
# Run containers with network specification
podman run -d --network mynetwork --name web1 nginx:alpine
podman run -d --network mynetwork --name web2 nginx:alpine
# Check network information
podman network inspect mynetwork
podman exec web1 ping web2
# Remove network
podman network rm mynetwork
Image Management and Registry Operations
# Build image
cat > Containerfile << EOF
FROM alpine:latest
RUN apk add --no-cache curl
COPY app.sh /usr/local/bin/
CMD ["/usr/local/bin/app.sh"]
EOF
podman build -t myapp:latest .
# Registry operations
podman login registry.example.com
podman tag myapp:latest registry.example.com/myapp:v1.0
podman push registry.example.com/myapp:v1.0
# Image signature verification
podman image trust set -f policy.json registry.example.com/myapp
Podman Remote (Remote Execution)
# Configure remote Podman server
podman system service --time=0 unix:///tmp/podman.sock
# Set up remote connection
podman system connection add myserver \
ssh://[email protected]/run/user/1000/podman/podman.sock
# Execute remotely
podman --remote --connection myserver ps
podman --remote --connection myserver run nginx:alpine