Table Of ContentSecure, rootless containers for Kubernetes, microservices, and more
Daniel Walsh
M A N N I N G
Podman and Docker feature comparison
Feature Podman Docker Description
Supports all OCI and ✔ ✔ Both pull and run container images from container regis-
Docker images tries (i.e., quay.io and docker.io)
Launches OCI container ✔ ✔ Launch containers using runc, crun, Kata, gVisor, and
engines OCI container engines
Simple command-line ✔ ✔ Podman and Docker share the same CLI.
interface
Integration with systemd ✔ ✘ Podman supports running systemd inside of the container
as well as many systemd features.
Fork/exec model ✔ ✘ The container is a direct descendant of the podman
command.
Fully support user name- ✔ ✘ Only Podman supports running containers in separate user
space namespaces.
Client–server model ✔ ✔ Docker is a RESTful API daemon. Podman supports REST-
ful API via a systemd socket=activated service.
Supports docker- ✔ ✔ compose scripts work against both restful APIs. Podman’s
compose works in rootless mode.
Supports docker-py ✔ ✔ docker-py python bindings work against both restful APIs.
Podman’s works in rootless mode. Podman also supports
podman-py for running advanced features.
Daemonless ✔ ✘ The podman command runs like a traditional command-line
tool, while Docker requires multiple root-running daemons.
Supports Kubernetes-like ✔ ✘ Podman supports running multiple containers within the
pods same pod.
Supports Kubernetes ✔ ✘ Podman can launch containers and pods based on Kuber-
yaml netes yaml. It can also generate Kuberenetes.yaml from
running containers.
Supports Docker swarm ✘ ✔ Podman believes the future for orchestrated multi-node
containers is Kubernetes and does not plan on implement-
ing Swarm.
Customizable registries ✔ ✘ Podman allows you to configure registries for short name
expansion. Docker is hard coded to docker.io when you
specify a short name.
Customizable defaults ✔ ✘ Podman supports fully customizing all of its defaults includ-
ing security, namespaces, volumes, and more.
Mac OS support ✔ ✔ Podman and Docker support running containers on a Mac
via a VM running Linux.
Windows support ✔ ✔ Podman and Docker support running containers on a Win-
dows WSL2 or a VM running Linux.
Linux support ✔ ✔ Podman and Docker are supported on all major Linux distri-
butions.
Podman in Action
SECURE, ROOTLESS CONTAINERS
FOR KUBERNETES, MICROSERVICES, AND MORE
DANIEL WALSH
MANNING
SHELTER ISLAND
For online information and ordering of this and other Manning books, please visit
www.manning.com. The publisher offers discounts on this book when ordered in quantity.
For more information, please contact
Special Sales Department
Manning Publications Co.
20 Baldwin Road
PO Box 761
Shelter Island, NY 11964
Email: orders@manning.com
©2023 by Manning Publications Co. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in
any form or by means electronic, mechanical, photocopying, or otherwise, without prior written
permission of the publisher.
Many of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks. Where those designations appear in the book, and Manning Publications
was aware of a trademark claim, the designations have been printed in initial caps or all caps.
Recognizing the importance of preserving what has been written, it is Manning’s policy to have
the books we publish printed on acid-free paper, and we exert our best efforts to that end.
Recognizing also our responsibility to conserve the resources of our planet, Manning books
are printed on paper that is at least 15 percent recycled and processed without the use of
elemental chlorine.
The author and publisher have made every effort to ensure that the information in this book
was correct at press time. The author and publisher do not assume and hereby disclaim any
liability to any party for any loss, damage, or disruption caused by errors or omissions, whether
such errors or omissions result from negligence, accident, or any other cause, or from any usage
of the information herein.
Manning Publications Co. Development editor: Toni Arritola
20 Baldwin Road Technical development editor: Joshua White
PO Box 761 Technical editor: Roman Zhuzha
Shelter Island, NY 11964 Review editor: Aleksandar Dragosavljevic´
Production editor: Andy Marinkovich
Copy editor: Christian Berk
Proofreader: Katie Tennant
Technical proofreader: Alain Lompo
Typesetter: Dennis Dalinnik
Cover designer: Marija Tudor
ISBN: 9781633439689
Printed in the United States of America
In memory of my mother, Joan P. Walsh
brief contents
PART 1 FOUNDATIONS ..............................................................1
1 ■ Podman: A next-generation container engine 3
2 ■ Command line 27
3 ■ Volumes 67
4 ■ Pods 76
PART 2 DESIGN.......................................................................87
5 ■ Customization and configuration files 89
6 ■ Rootless containers 106
PART 3 ADVANCED TOPICS ....................................................125
7 ■ Integration with systemd 127
8 ■ Working with Kubernetes 151
9 ■ Podman as a service 166
PART 4 CONTAINER SECURITY...............................................187
10 ■ Security container isolation 189
11 ■ Additional security considerations 216
v
contents
preface xi
acknowledgments xii
about this book xiii
about the author xvi
about the cover illustration xvii
PART 1 FOUNDATIONS....................................................1
1 Podman: A next-generation container engine 3
1.1 About all these terms 4
1.2 A brief overview of containers 7
Container images: A new way to ship software 9 ■ Container
images lead to microservices 11 ■ Container image format 13
Container standards 14
1.3 Why use Podman when you have Docker? 15
Why have only one way to run containers? 15 ■ Rootless
containers 16 ■ Fork/exec model 17 ■ Podman is
daemonless 19 ■ User-friendly command line 19 ■ Support
for REST API 21 ■ Integration with systemd 21 ■ Pods 22
Customizable registries 23 ■ Multiple transports 25 ■ Complete
customizability 25 ■ User-namespace support 26
1.4 When not to use Podman 26
vi
CONTENTS vii
2 Command line 27
2.1 Working with containers 28
Exploring containers 28 ■ Running the containerized
application 30 ■ Stopping containers 34 ■ Starting
containers 35 ■ Listing containers 36 ■ Inspecting
containers 36 ■ Removing containers 37 ■ exec-ing into
a container 38 ■ Creating an image from a container 39
2.2 Working with container images 41
Differences between a container and an image 42 ■ Listing
images 44 ■ Inspecting images 45 ■ Pushing images 46
podman login: Logging into a container registry 48 ■ Tagging
images 50 ■ Removing images 53 ■ Pulling images 55
Searching for images 58 ■ Mounting images 59
2.3 Building images 60
Format of a Containerfile or Dockerfile 61 ■ Automating the
building of our application 64
3 Volumes 67
3.1 Using volumes with containers 68
Named volumes 70 ■ Volume mount options 72 ■ podman run
--mount command option 75
4 Pods 76
4.1 Running pods 76
4.2 Creating a pod 79
4.3 Adding a container to a pod 80
4.4 Starting a pod 82
4.5 Stopping a pod 83
4.6 Listing pods 84
4.7 Removing pods 84
PART 2 DESIGN.............................................................87
5 Customization and configuration files 89
5.1 Configuration files for storage 91
Storage location 91 ■ Storage drivers 94
5.2 Configuration files for registries 96
registries.conf 96
viii CONTENTS
5.3 Configuration files for engines 100
5.4 System configuration files 104
6 Rootless containers 106
6.1 How does rootless Podman work? 109
Images contain content owned by multiple user identifiers
(UIDs) 110
6.2 Rootless Podman under the covers 118
Pulling the image 119 ■ Creating a container 120
Setting up the network 120 ■ Starting the container monitor:
conmon 121 ■ Launching the OCI runtime 121 ■ The
containerized application runs until completion 124
PART 3 ADVANCED TOPICS...........................................125
7 Integration with systemd 127
7.1 Running systemd within a container 128
Containerized systemd requirements 131 ■ Podman container in
systemd mode 131 ■ Running an Apache service within a systemd
container 132
7.2 Journald for logging and events 134
Log driver 135 ■ Events 136
7.3 Starting containers at boot 137
Restarting containers 137 ■ Podman containers as systemd
services 138 ■ Distributing systemd unit files to manage Podman
containers 141 ■ Automatically updating Podman containers 142
7.4 Running containers in notify unit files 145
7.5 Rolling back failed containers after update 147
7.6 Socket-activated Podman containers 147
8 Working with Kubernetes 151
8.1 Kubernetes YAML files 153
8.2 Generating Kubernetes YAML files with Podman 153
8.3 Generating Podman pods and containers from
Kubernetes YAML 157
Shutting down pods and containers based on a Kubernetes YAML
file 158 ■ Building images using Podman and Kubernetes
YAML files 159
