I ditched Docker for Podman

Posted by codesmash 9/5/2025

I ditched Docker for Podman(codesmash.dev)

1123 points | 654 commentspage 7

rsyring 9/5/2025|

I believe rootless containers require Linux user namespaces which have historically been the source of many vulnerabilities: https://news.ycombinator.com/item?id=43517734

I'm conflicted about whether or not it's better to run a root daemon that can launch unprivileged non-root containers or run rootless containers launched by a non-root user.

Anyone have thoughts or more definitive resources they could point to that discuss the tradeoffs?

gucci-on-fleek 9/5/2025|

All containers use user namespaces, but only rootless containers require unprivileged user namespaces. Unprivileged user namespaces didn't have a great security record for the first few years, but vulnerabilities are relatively rare these days.

Running podman with SELinux enforcing (the default) and with "--security-opt=no-new-privileges" combined with running applications as non-root inside their containers should further reduce the security risk. You could also disable unprivileged user namespaces inside the containers if you want, which would mean that exploiting unprivileged user namespaces would first require arbitrary code execution on the host.

WhyNotHugo 9/6/2025||

I don't understand why it's so popular to run the docker daemon as root.

Rootless mode seems to support all the same features, but is obviously more secure than the "run everything as root" mode. In fact, most of the CVE's mentioned would allow an attacker to escalate to the privilege of the user running docker, instead of escalating to he root user.

Comparing the security of rootless-podman to rootful-docker is an absurd (and obviously unfair) comparison.

aprilfoo 9/6/2025||

I'm happily using podman only. Lightweight, secure by design, sweet integration with systemd as an orchestrator: a perfect middle ground when the complexity of k8s isn't needed.

Sadly "docker" is just a synonym for "container" for most people, so the main issue is that most projects only ship a compose file. Hopefully they'll ship quadlet files too, some day.

Alternatively, a public repository for sharing quadlets for popular open source software would be great.

jesprenj 9/6/2025||

> Or rather NO, because this daemon runs with root privileges.

note that docker daemon does not have to be running with root privileges. you can use this script to start docker rootless: https://github.com/docker-archive/engine/blob/master/contrib...

rweichler 9/5/2025||

On the topic of ditching Docker, has anyone else created a custom test harness with QEMU? I feel like I'm the only person doing it this way. QEMU's target userbase is emulators in general, which is a much broader audience with way more development effort going into it, therefore I don't think it can ever go "out of fashion" or get hijacked by perverse corporate interests like Docker can. Podman seems to have the same vulnerability.

drzaiusx11 9/5/2025|

This is what Lima is, which is the basis for Colima which runs on top with all the Docker runtime stuff

https://github.com/lima-vm/lima

https://github.com/abiosoft/colima

rweichler 9/5/2025||

Interesting, thanks. Looks much better than Docker/Podman. But seems to suffer from the same incentive issue. I think I'll stick with my raw QEMU setup, Lima seems like QEMU + batteries, but I already built the batteries.

drzaiusx11 9/5/2025||

Fun fact podman desktop is just a front end to Lima, or was last I checked

rweichler 9/5/2025||

Yeah, seems like the power law is at play here. I made my test harness in 2020 so I didn't have a choice as Lima didn't exist back then. I should have waited a year. I'll certainly keep an eye on it

EE84M3i 9/5/2025||

I would love to switch to podman, but rely on docker's credential helpers with gcloud CLI for authentication to pull from Google Artifact Registry on Mac with hyperkit. Last time I tried I couldn't figure out how to do this with podman machine in a way that respected gcloud credentials properly and could only find some hacks that involved passing short term tokens instead of supporting proper refresh flows. Is there a guide how to do that now?

mathfailure 9/5/2025||

My go service in podman container requires a container restart after waking up. That's the only downside I've felt after switching from docker to podman.

tannhaeuser 9/5/2025||

me: great can target POSIX for stuff

them: not so fast here's glib

me: great can use debian for stuff

them: not so fast, here's rpm

me: great can use docker for "abstracting" over Linux diversity

them: not so fast, here's podman

fh973 9/5/2025||

Docker swarm is great on single servers. Apparently still no such thing for Podman.

Even if the tech is not top notch, Docker got a few things right on product management.

gr4vityWall 9/5/2025|

I wonder if we'll see Podman running on Illumos at some point. SmartOS does currently support running Dockerized programs if I remember correctly.

mdaniel 9/5/2025|

Only if Illumos supports kernel namespaces; it's the same problem as "podman on XNU" (I don't mean via VM, I mean on XNU): there's nothing stopping them, but it evidently isn't important to them, either

More comments...