Today, every fast-growing business enterprise has to deploy new features of their app rapidly if they really want to survive in this competitive market. Developing apps today requires so much more than writing code. For developers, there is a vast array of complex tooling and a duplicate set of commands and tasks to go from local desktop to cloud-native development. It takes hours and possibly days for the development team to decide on the right cloud environment to meet their requirements and to have that environment successfully set up.
In the world of containerization, Docker has long been the go-to choice for developers and system administrators. However, with the rise of alternative container engines like Podman, it’s important to understand the similarities, differences, and key features of each. In this article, we will compare Docker and Podman, highlighting their strengths and use cases to help you make an informed decision on which container engine to choose.
Let’s first Debunk the Myths..
Undoubtedly, Docker today is the de facto standard for most of the developers for packaging their apps but as the container market continues to evolve and diversify in terms of standards and implementations, there is a rise of a confusion among the enterprise developers to choose the right container platform for their environment. Fortunately, I am here to help you with top 5 reasons debunking many of these modern myths. This blog aims to clear up some commonly held misconceptions in the field of Docker capabilities. The truth, as they say, shall set you free and ‘whalified’. In this article, we will also compare Docker and Podman, highlighting their strengths and use cases to help you make an informed decision on which container engine to choose.
Myth #1: Podman support rootless containers, Docker doesn’t.
This myth says that the Docker daemon requires root privileges and hence admins can’t launch containers as a non-privileged user.
Fact: Rootless mode was introduced in Docker Engine v19.03 as an experimental feature. Rootless mode graduated from experimental mode in Docker Engine v20.10. This means that Docker today can also be run as a non-root user. Rootless containers have a huge advantage over rootful containers since (you guessed it) they do not run under the root account. The benefit of this is that if an attacker is able to capture and escape a container, this attacker is still a normal user on the host. Containers that are started by a user cannot have more privileges or capabilities than the user itself.
Learn more – https://docs.docker.com/engine/security/rootless/
Myth #2: Docker doesn’t support daemonless architecture, Podman does.
Let us understand this myth. It says that when working with Docker, you have to use the Docker CLI, which communicates with a background daemon (the Docker daemon). The main logic resides in the daemon, which builds images and executes containers. This daemon runs with root privileges which presents a security challenge when providing root privileges to users. It also means that an improperly configured Docker container could potentially access the host filesystem without restriction. As Docker depends on a daemon running in the background, whenever a problem arises with the daemon, container management comes to a halt. This point of failure therefore becomes a potential problem.
Fact: By default, when the Docker daemon terminates, it shuts down running containers. You can configure the daemon so that containers remain running if the daemon becomes unavailable. This functionality is called live restore. The live restore option helps reduce container downtime due to daemon crashes, planned outages, or upgrades. To enable the live restore setting to keep containers alive when the daemon becomes unavailable, you can add the configuration to the daemon configuration file:
On Linux, this defaults to /etc/docker/daemon.json. On Docker Desktop for Mac or Docker Desktop for Windows, select the Docker icon from the task bar, then click Preferences -> Docker Engine
Use the following JSON to enable live-restore.
{
"live-restore": true
}
Learn more: https://docs.docker.com/config/containers/live-restore/
Myth #3: Docker doesn’t support Container Image signing. Podman does it flawlessly
This myth states that Docker is not secure. Docker images can’t be trusted as they are not signed. Docker doesn’t validate your images and doesn’t have capability to track the source from where the Docker images are being pulled.
Fact: Docker Content Trust has been there since v1.8. Docker version 1.8 introduces Content Trust, which allows you to verify the authenticity, integrity, and publication date of Docker images that are made available on the Docker Hub Registry. Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.
Within the Docker CLI we can sign and push a container image with the ‘docker trust’ command syntax. This is built on top of the Notary feature set. A prerequisite for signing an image is a Docker Registry with a Notary server attached (such as the Docker Hub ).
docker trust
Usage: docker trust COMMAND
Manage trust on Docker images
Management Commands:
key Manage keys for signing Docker images
signer Manage entities who can sign Docker images
Commands:
inspect Return low-level information about keys and signatures
revoke Remove trust for an image
sign Sign an image
Run 'docker trust COMMAND --help' for more information on a command.
Learn more – https://docs.docker.com/engine/security/trust/
With the latest Docker Desktop 4.17 release, the Docker team introduced Docker Scout for the first time. Docker Scout is a collection of software supply chain features that appear throughout Docker user interfaces and the command line interface (CLI). These features provide detailed insights into the composition and security of container images.
How is Docker Scout different from other security tools?
There are various security tools available today in the market. While there are similarities and differences between all tools of this nature, Docker Scout stands out by offering both visibility into the dependencies called in specific layers of the images, and remediation options directly in existing developer workflows. Particularly, Advanced image analysis not only lets you analyze the vulnerabilities in your dependencies but also provides you with remediation options that help you to act quickly.
If a vulnerability is present in the base image, Docker Scout will check for any updated or patched base images and make recommendations to replace the base image. If a vulnerability is present in other layers, Docker Scout will indicate exactly where the vulnerability is introduced, and make recommendations accordingly.
Docker Scout is designed with developers in mind and integrated into Docker. With Docker Scout, spend less time searching for and fixing vulnerabilities, and more time developing your code. Docker is building Docker Scout to sit as a layer on top of the Docker ecosystem to help developers build and maintain a secure software supply chain. Right now, Docker is focussed on helping with vulnerability remediation; we think our CVE-to-package matching (using PURLs to help avoid false positives) and our SBOM-to-CVEdb matching (no need to rescan) are both nice improvements to the current Developer experience.
Myth #4: Docker is becoming paid and not free software anymore. Podman is 100% free.
This myth states that Docker is not free software anymore. Docker has completely monetized the software and hence one needs to pay for the subscription if they want to use it.
Fact: Docker Engine and all upstream open source Docker and Moby projects are still free. Docker Desktop is free to download and install for your personal use. If you’re running a small business with fewer than 250 employees and less than $10 million in annual revenue, Docker Desktop is still free. No matter, if you are a student or an instructor either in an academic or professional environment, it is still free to download and install. If you are working on any open source non-commercial project hosted over GitHub and abide by the Open Source Initiative definition, you can use Docker Desktop for free. All you need to do is to fill up the form and apply here.
For your open source project namespace on Docker Hub, Docker offers unlimited pulls and unlimited egress to any and all users, with no egress restrictions applying to any Docker users pulling images from that namespace. In addition, if your open source project uses Autobuild capabilities, you can continue using them for free. You are also free to continue to use Docker Desktop via the Docker Personal subscription.
Myth #5: Docker doesn’t support Kubernetes
This myth states that Docker is incapable to run Kubernetes Pods. A Pod represents a single instance of a running process in your cluster. Pods contain one or more containers, such as Docker containers. When a Pod runs multiple containers, the containers are managed as a single entity and share the Pod’s resources.
Fact: Docker Desktop does allow you to run Kubernetes Pods. If you have Docker Desktop installed in your Mac or Windows system, you can enable Kubernetes under Dashboard UI and then deploy Pods over it. You can even use the native Docker compose tool to bring up Kubernetes resources seamlessly.
Learn more – https://docs.docker.com/desktop/kubernetes/
5 Reasons why You Should use Docker instead of Podman
Here is the list of the top five reasons why you should use Docker instead of Podman:
1. Extensive Community and Ecosystem Support
Docker has a vast and well-established community with extensive resources and support. It offers a wide range of documentation, forums, and third-party tooling. The vibrant community ensures continuous development, support, and availability of Docker-related resources.
2. Comprehensive Image and Container Repository
Docker Hub, the official image repository for Docker, hosts a massive collection of pre-built container images. It provides a centralized platform for discovering, sharing, and collaborating on container images. The extensive library of Docker images simplifies the process of finding and deploying popular software stacks and applications.
3. Industry Standard and Compatibility
Docker has become the industry standard for containerization, with widespread adoption across various platforms. Major cloud providers, orchestration platforms, and CI/CD pipelines have built-in support for Docker. Its broad compatibility ensures seamless integration and portability across different deployment environments.
4. Powerful Orchestration and Tooling
Docker provides robust orchestration capabilities through Docker Compose and Docker Swarm. Docker Compose allows you to define and manage complex multi-container setups using a declarative YAML file. Docker Swarm enables container orchestration across multiple hosts, offering features like service discovery, load balancing, and rolling updates. With the support of Kubernetes, developers have a choice to spin up the inbuilt single-node Kubernetes cluster in no minutes.
5. Maturity and Innovation
Docker has a rich history of driving containerization innovation. It introduced essential features such as container images, container registries, and container networking. Docker continues to invest in enhancing its platform, addressing security concerns, and improving performance based on real-world use cases.
If you’re a developer and looking out for feature-rich matured, enterprise-ready, industry-standard containerization platform, do check out Docker Desktop. With newer features like docker extensions
that helps you transform and optimize workflows by connecting to pre-built developer tools for debugging, testing, networking, security, and more, docker init
that helps you generates Docker assets for projects, making it easier to create Docker images and containers, developers have a freedom of choice and simplicity.