Podman, the powerful container multitool (Sascha Grunert) [FOSDEM 2020]

link slides demo

Podman is a container management tool, can be a replacement for docker. But it can do more.

Originally it was planned as a debugging tool for kubernetes.

You can do alias docker=podman, but actually podman behaves a little bit differently, so it’s not entirely a drop-in replacement.

It has a lot of dependencies, not only build-time, but also it relies on other tools e.g. for configuration (cni) and container runtime (runc).

podman is a daemonless container engine. It uses conmon for monitoring running containers. conmon itself calls into runc to set up the container. So you can use runc to look into the running containers.

Podman is architected to be rootless. Most things keep on working when running rootless, because it uses user namespaces.

Podman gives a lot of control over the amount of isolation between the container and the host. For example, it is easy to share the pid namespaces between two containers. Use podman ps --ns to observe the namespaces used by various containers.

Podman is based on pods. That’s a concept coming from kubernetes. A pod is like a container. When a pod is created, there is an “infra” container that is started to manage it. Within the pod, it is possible to create several containers which share some namespaces.

The state (= containers which were started) is stored in the pod. This can be saved in a yaml file (a kubernetes manifest). Then podman can replay that manifest.