Podman instead of Docker?

[hrstoyanov]

The client/server architecture of Docker is not ideal - running a server(daemon) is a "single-point-of-failure" running in elevated security mode. Instead - consider Podman, which can run in user mode, and is compatible with Docker.

[alexanderadam]

I guess everybody who learned about Podman and used it wants to have this (see also this, this, this, this, this and many more).

But I think @shobhitic wanted to explore it.

[shobhitic]

I tried but I am not very well versed with both docker and podman, except the very basics of using them, so gave up.

[gnat]

Would be a challenge to support Podman because Kamal uses the Docker socket- classic Docker is a hard requirement for the socket.

Also that probably means no rootless Docker.

[alexanderadam]

Would be a challenge to support Podman because Kamal uses the Docker socket

Podman has a Docker compatible socket as far as I am aware.
You can simply activate a service that creates a socket and then just point the tooling that is communication via sockets to that.

This is also how they created compatibility to docker-compose — since compose also communicated via socket.

[psviderski]

What is the advantage of using Podman instead of Docker in this mode then? IIUC the original message recommends Podman for being daemon-less but using it with a listening socket makes it behave more similarly to Docker.

[hadmut]

Hi,

since rails 8 incorporates kamal, it should really be able to work with podman/buildah.

First of all, it is not just a matter of an "advantage": Many systems (such as mine) do not even have docker, and just use podman/buildah for several reasons. One reason is that other applications may need podman/buildah for their advanced features and better compatibility with kubernetes, and you should not use/install both at the same time. It sometimes is just a requirement given by other constraints to use podman/buildah instead of docker, such as better systemd integration. E.g. Fedora CoreOS comes with both podman and docker, but warns to not use both of them, while CoreOS and it's configuration system is strongly based on systemd+podman.

So "what is the advantage" is sometimes simply the wrong question, because users might not have a choice.

kamal build create is not even able to build the container on a podman/buildah based system.

Another reason is that podman is much easier in running rootless containers and thus has better security. Docker has got a rootless mode as well, but it is more complicated. You get it for free on podman.

Furthermore, on a system where you just have a non-root account with ssh access, you probably would not have access do docker, because it would allow you to break into the root account.

Yes, podman can be run with a docker compatible socket. But this is not how it is supposed to be run. podman containers should be started by systemd and configured by what they call a quadlet file (man quadlet).

kamal should at least partly support this and be able to build and push the container image with podman/buildah ools.

regards