The new network stuff is a welcome improvement.
Especially if you want to go rootless (and you should).
For someone that isn’t “Linux first” (like a baby developer learning to containerize their apps), the idea of dealing with systemd unit files or kublet configs, and having to created dedicated local service accounts (and remembering to enable linger) is somewhat intimidating when compared to just installing docker, whipping up a docker compose file and pressing “start”.
I understand why they’ve taken this approach but it’s pretty clunky and a bit unfriendly.
Docker Compose is to stacks what Dockerfiles are to a single application. Podmans solution is to not commit to compose, but instead to create a bespoke mechanism involving a bunch of tiny files, all of which is insanely system (linux) specific, and therefore completely non-portable.
I genuinely don't understand how someone can see the value of Docker, but then do things so completely "not-docker" when it comes to deployment/stacks/orchestration.
Podman does not require systemd (thank God). I use a simple podman compose up/down in a user systemd file to automatically bring my containers up at boot, but other mechanisms are possible, like quadlets and init scripts.
I use podman regularly, and despite it being a good drop-in replacement like 95% of the time, the 5% of the time where it isn't seamless are super painful. For example, skaffold (https://skaffold.dev/) pukes all over itself when you try to run podman as a drop in replacement. I'm sure there are plenty of other examples, but that one stops me from using podman at work in addition to in my personal projects.
I mean, really, if we keep in mind that formally these are 2 totally unrelated projects, it's hard to complain. Yes, it's almost seamless. But since when installing Podman everyone thinks roughly "I am installing a newer better Docker version", and we all already have a few dozens of custom Docker containers running, it's hard no to wish it was even more seamless and backwards-compatible. I remember the transition process wasn't nearly as smooth as I hoped, and every small glitch is kinda stressful, because you know that currently all of it "somehow works", and if something breaks you probably won't even notice right away.
It’s not hard. It’s just fiddly.
You could quite simply have a systemd file that calls podman compose up when the service starts and podman compose down when it stops. Basically the same systemd file for every container stack defined in a single compose.yml. It's extremely easy, and does not do stuff behind your back like Docker (such as silently altering iptables rules).
They’re essentially long junior devs asking Claude to set up podman
I'd love to be able to recommend people use podman but not having a good docker compose compatibility and missing inotify on volumes makes the DX just too problematic.
podman-compose never worked well for me but docker-compose on podman did.
Podman on macOS feels miles less refined. Orbstack is a way better choice.
I only use podman on Linux and there it is blazing fast. Even so, most features seem to be geared to be able to replace kubernetes in combination with systemd. And then something simple as docker compose support is flaky and it’s TUI/ux lags behind the original.
The other issue is minor differences from Docker, but small enough that a packaged up Docker compose doesn’t work out of the box. It’s not a good use of my time to debug that when I could just switch to Docker, have it work, and get on with my day.
And usability continues for being security’s number one enemy...
macOS had a seperate set of problems. I ended up just going with buildx and Colima on macOS. (We don’t use Docker Desktop.)
Long term I’d like to try to switch to podman again, but it needs to have a “be 100% compatible with Docker” mode as opposed to this:
https://github.com/podman-container-tools/podman/issues/1478...
Either an old experience you had, or a newer experience you had on vastly out of date packages and probably podman itself?
Not even Tart or Apple Container support it, as far as I know. Maybe someone has found a way.
In general this seems to be a common complaint here. If you're developing with cloud runners or on linux infra you won't run into this, but on macOS for local development it is impactful.
And then there are the extra steps: Enable user lingering, make a systemd service that starts the compose containers (and there is nothing really “native”, it’s a script.) With Docker compose containers just restart if you say so in the file.
There are many great things about podman, will try again in a year or so perhaps?
I tried working through it with Claude, but after a few failed attempts I gave up. I'd like to use podman, but the docker compose + buildx compatibility gaps made it more trouble than it was worth for now. I'm definitely going to try it again.
Fedora and selinux may be a thing to look into if you were trying to share volumes.
I am posting this from a park on my phone, so this may be slightly wrong, but this is the multiarch case that seems to be harder to find for many people.
podman manifest create my-image:latest
podman build --platform linux/amd64 --manifest my-image:latest .
podman build --platform linux/arm64 --manifest my-image:latest .
podman manifest push my-custom-image:latest docker://docker.io/user/my-image:latest
All depends on your needs, but even with docker I prefer moving forward with OCI when possible, preferring standards to product specific workflows.Docker is something we all already hate, milion edge cases and forever bugs but at least well documented and understood. Podman claim to be drop-in replacement does it mean it carry docker shitness? Examples: ufw punch through, env file handling, volumes, etc
Documentation has also gotten better.
For tools that require docker to work, like testcontainers and tilt, I've found some annoyances using podman, but ultimately I've been able to work around them.
For everything else, it's pretty much a drop in replacement.
[1] https://github.com/podman-container-tools/podman/discussions...
Docker (the company) lost the plot in Linux containers, OCI got standardized, alternative runtimes came to be, and very few companies actually care to pay for Docker Desktop or the other services they sell.
Microsoft also is finally adding their own docker cli (wslc), due to having had enough pressure that many companies don't want to instal third party tools for Linux/Windows containers, even if API is compatible with docker daemon.
Apple is doing a similar approach on top of their virtualisation framework.
1. You have to use `sudo` for every `docker ...` command; or
2. You add your user to the `docker` group and now anything that can run as your user can use docker to read or write any file on your system, making docker into the best local privilege escalation option out there.
Devcontainers work without having to pass special arguments and deal with inconsistent stuff once in the devcontainer itself.
K3d is easier to work with Docker.
Docker locally just makes sense.
I've never interacted with anyone that knew them by another name. It's always (docker) container, where they may leave out the docker term, but if questioed what kind of container they mean theyll say it.
And the times I've called them OCI container (or image when talking about those) nobody knew what I meant until I clarified to docker
As a developer, I wager that any gains I get from Podman will be dwarfed by bugs that I’m encountering in the other software I use.
I’m not implying that Podman causes the bugs. I’m saying that I’ll be more likely to be the first person to encounter the bug.
So any time people talk about docker someone can go:
I use podman btw
"OCI container" doesn't have same ring, unfortunately.
And most Podman things are just clones of Docker, e.g. Containerfile. In a clone situation, the original brand will always have the staying power.
Zero changes needed and now I don’t need to keep a daemon running.
Great software.
is this firecracker or total rewrite
It runs ontop of the libkrun vmm forked with optimizations, which is the underlying lib powering podman as well.
open source, will contribute upstream when possible: https://github.com/smol-machines/libkrun
But it seems more like a completely different way to run isolated workloads?
It also has container-inages support built-in with crun so you can create a VM with a container running by default.
You can also just... run docker inside of it.
So I tried Rancher Desktop and other than I keep forgetting its name it just worked.
It's another simple option for those who need it.
As such, most of the fixes for Podman/Docker incompatibilities is just addressing that assumption with a few extra flags on the Podman commands to change how the user namespace maps between the container and the host, etc etc.
Most recently: Netavark doesn't match Docker's behavior with accepting broadcast traffic on a published port.
I have a lot of compose files in my homelab/automation setup and those are what I’m most concerned about.
The only issue I have is validation, there isn't a convenient built-in command to validate quadlet files and systemd doesn't warn you if any fail to generate. You either have to do a --dry-run first (and probably alias the full command to something reasonable) or check the journal for errors.
For quick conversions you can use compose files directly with podman-compose or docker compose pointed at the podman socket[0].
There's also podlet[1] which converts compose files into native quadlets. It does a pretty good job of taking care of everything for you and for a lot of simple to medium complexity compose files it will Just Work. There's talk of making it into a library of some kind so other tools can transparently convert compose files to quadlets so hopefully we'll see more stuff like it.
Otherwise, writing your own Quadlet files isn't too hard if you're at all familiar with systemd unit files. Most `docker run` or `podman run` arguments have direct quadlet conversions so once you get used to the INI format versus yaml it's pretty easy to see a compose file and churn out the equivalent quadlet(s).
I have zero issues with it doing the builds I need. Works same same as Docker from what I can tell.
I took Docker completely off my Macbook which has a tiny drive in it. Hardly ever use it, except for testing. Podman is super lightweight and using a project I'm developing, launches containers with dev agents in it, just the same as Windows running Docker.
Absolutely zero regrets, would never go back.
I have the feeling the docker company is communicating a lot with Apple because virtualisation got better and better over the years. I wonder if podman would be a speed downgrade here?
Highly recommend Podman overall; there are some quirky edge cases, but for the most part it’s a smooth replacement for Docker.
If you don’t want to give up compose entirely, podman-compose exists. I just prefer Quadlets so I haven’t used it much myself.
There is however, the LLMs that pull their fair share of documentation, or rather, replacing it. Not opening that can of worms here, but heck am I glad I can query `$AI` about occasional Podman "burst pipe", instead of hitting Google and looking for [that one e-mail message from a guy who had exactly the same issue, solved it _and_ had the wherewithal to post the solution](https://xkcd.com/979/).
We never got into use of `docker compose`, not in any capacity to speak of, and these days we use Kubernetes and OKD/Openshift for things that Docker -- in my understanding -- solves with swarm and composition. It works well enough, I almost don't find it worthwhile to mention that it does :)
Other than that, I haven't found anything that makes me consider using docker again.
The few cases where something was not directly translatable was <10 minutes with a coding agent to make some minor config changes, and then it just worked.
Regardless it works enough for me to run local Kubernetes and Tilt
Having a heterogenous fleet can be annoying though, some Podman-only config values[1] stop Docker dead in its tracks because it hates unknown fields.
1. It was a while back, and I can't remember what specific field it was, but it had to do with namespacing and/or (sub)UID mapping.
On the other hand I could see it being hard for people to only install the cli part of docker. Luckily on arch that was simple due to how it's packaged.
I'm also using podman-compose that is small and delightful (I had to fix a few bugs there). It's just one Python file that you can copy.
podman quadlet list
Added in v5.6.0, lists quadlets and their containers podman system migrate --migrate-db
Flag added in v5.8.0. I remember seeing the bolt db deprecation warnings in the past but there was no tool to do the migration to sqlite, now there is (or just upgrade to podman 6.0.0 and it will do it automatically)If I build an image with podman will it run in cri-o, docker and other misc runtimes?
Been debating on using rootless podman for building images since docker build requires sudo and it gets annoying with agentic workflows.
I've seen worse, but gray on beige is not my favorite.
no "container root" / "docker group" = "host root" shenanigans
podman doesn't spew garbage and punch holes in my firewall (iptables)
(edit: formatting)
The way Docker silently rewrites iptables rules is just insane. It boggles my mind that someone thought that it would be a good idea, and that it survived a peer review.