I ditched Docker for Podman

Posted by codesmash 9/5/2025

I ditched Docker for Podman(codesmash.dev)

1123 points | 654 commentspage 6

BinaryIgor 9/5/2025|

I certainly like demon-less architecture; much simpler and there are less potential security issues and no single point of failure.

The one thing I don't necessarily agree:

"Privileged ports in rootless mode not working? Good! That's security working as intended. A reverse proxy setup is a better architecture anyway."

I usually use Ngix as a reverse proxy - why not have it set up in the exact same way as the rest of your apps? That's a simplicity advantage. So with Podman, I would just run this one exact container in root mode - that's still better than all of them, but quite.

I am not a fan of docker-compose - a classic example of a tool trying to do too much for me, so the lack of something similar in Podman is not a drawback for me :)

Not sure about tooling around logs and monitoring though - there is plenty for Docker.

chuckadams 9/6/2025|

Allowing binding to a privileged port should be as simple as adding CAP_NET_BIND_SERVICE to the process, most likely in a systemd unit file or something . I still suggest using a reverse proxy like nginx or traefik, so add the capability to those. There's no reason for the proxy to run as root.

timcambrant 9/5/2025||

I'm probably going to finally give podman a try, but apart from the security advantages of daemonless, I pretty much have all these features solved on my Docker hosts already. For home/lab workloads I define one docker compose project in a directory, using local path mounts for directories. Then I manually define a systemd service per docker compose project, which just runs "docker compose up -d <dir>" on start, and the opposite on stop. The hundreds of containers I run at home have higher uptime than the thousands of containers in the orchestration platform I run at work has.

Does the "podman generate kube" command just define pods, or does it support other K8s components such as services and ingresses?

2OEH8eoCRo0 9/5/2025||

I've been on Podman since 2019 since Docker didn't support Cgroups v2 for a very long time.

ThomW 9/5/2025||

We did the same. Switching was a cinch honestly - the only thing that screwed me up was some dumb page that returned a bunch of nonsense I was supposed to do to my docker-compose.yml file to make it more compatible with podman-compose. I spent a couple hours trying to figure out why things weren't working, until I finally rolled back all the stupid suggested changes, and my app fired right up.

The only impactful difference I've noticed so far is that the company is moving to an artifact repository that requires authentication, and mounting secrets using --mount doesn't support the env= parameter -- that's really it.

I treat podman like I did docker all day long and it works great.

xyst 9/5/2025||

I already use podman for local development. While docker can run under rootless mode [1] and alleviate the security concern. The concern about docker being resource intensive is still quite true (which is why I avoid using it in my self hosted setup).

Rather _declaratively_ define configuration with nix. Deploy nixOS to machines (rpi4/5, x86, arm) and vms (proxmox) and manage remotely with nixos-anywhere.

One of these days, I’ll get around to doing a write up.

[1] https://docs.docker.com/engine/security/rootless/

srid 9/5/2025|

Or if you are on macOS, there is https://github.com/juspay/services-flake which is based on process-compose. So you get an unified alternative to docker-compose but based on Nix and works on both platforms.

condenser 9/5/2025||

I'm interested in using podman for my homeserver because of the deamonless and rootlessnes nature, but I haven't found a convenient replacement for docker compose.

On my dev machine I do `docker compose up -d --build` in the directory of the Dockerfile, and it builds, uploads, and restarts the service on the server. In the podman world you're supposed to use Quadlets, which can be rsynced to the server, but I haven't found something simple for the build-step that doesn't involve an external registry or manually transferring the image.

What's the end-to-end solution for this?

rsyring 9/5/2025||

Might be part of your solution: https://github.com/psviderski/unregistry

> Unregistry is a lightweight container image registry that stores and serves images directly from your Docker daemon's storage. > > The included docker pussh command (extra 's' for SSH) lets you push images straight to remote Docker servers over SSH. It transfers only the missing layers, making it fast and efficient.

But, given that podman rootless doesn't have a daemon like Docker, I think using Podman in a push-to-remote scenario is just going to have more pieces for you to manually manage.

There are PaaS solutions out there, like Dokku, that would give you a better devx but will also bring additional setup and complexity.

gucci-on-fleek 9/5/2025||

podman-compose [0] is a mostly drop-in replacement for local usage, but I have no idea if it works remotely. "podman image scp" [1] looks like it could be helpful though.

[0]: https://github.com/containers/podman-compose

[1]: https://docs.podman.io/en/latest/markdown/podman-image-scp.1...

codethief 9/5/2025||

> With Podman, even if someone somehow escalates privileges inside a container to root level, they're still just an unprivileged user on the actual host.

As much as I like Podman (and I really do), Docker has supported rootless mode for a long time and it's not any harder to set up than Podman.

> Use podman-compose as a drop-in replacement

Oh, if only it were a drop-in replacement. There are so many ways in which it is not exactly compatible with docker-compose, especially when it comes to the network setup. I have wasted more hours on this than I can count.

puilp0502 9/6/2025||

> If your Docker Compose workflow is overly complex, just convert it to Kubernetes YAML.

Is this also applicable for single-host services? I have a lot of my toy projects packaged as a Docker Compose, and I just `docker compose up -d` in my EC2 host and it's ready to go. Last time I dabbled with K8s I remember it requiring separate etcd cluster, and a lot of configurations. I wonder if my existing projects could be converted to K8s manifest and it would be just as convenient as the `docker compose up -d`.

cyrialize 9/5/2025||

> I'm old enough to remember when Vagrant looked like a promised land where every development environment would look the same.

Oh no... does this mean I'm old too?!? This feels just like yesterday!

mdaniel 9/5/2025|

In fairness, Vagrant solves a slightly different problem than does containerization, so I doubt the need went away but rather folks realized no one cares very much about fresh VM, rather it's all about the application configs

Also, fuck them: https://github.com/hashicorp/vagrant/blob/v2.4.9/LICENSE who the fuck are they expecting to pay for Vagrant, or that "AWS gonna steal our ... vagrant?"

Dunedan 9/6/2025||

I'm so angry about that license change, as it makes impossible to use Vagrant anymore. For example the version of Vagrant in Debian is stuck to the pre-license change commit and Debian doesn't publish Vagrant boxes for new releases anymore. I've yet to find a replacement, which works as seamlessly across different operating systems.

mdaniel 9/6/2025||

Yeah, I was actually participating in a soft-fork for a while but I think the project ran out of steam. My guess is that it's very hard to pay attention to something that you don't use every day, so they let it drift. But if you ever hear of someone starting up again, let me know

I'm aware that I, too, could be the someone but like I said it's hard to dedicate all the time and energy when the last time I used vagrant was years ago

I also just remembered that I haven't revisited the forks list to see if there's some meaningful activity https://github.com/hashicorp/vagrant/forks?include=active&pa...

tsoukase 9/5/2025|

Podman has full compatibility and same command syntax with docker. Perfect cockpit and kubernetes co existence. Daemonless, rootless and open source are killer features and reasons to switch.

More comments...