Podman 101 and Beyond!
Pierre Blanc, Red Hat [Open Source Summit EU 2022]

Podman is a container (and pod) manager with a focus on security. It’s closely related to kubernetes but very often used independently as well.

Containers started with chroot. In the early 2000’s came Linux VServer and OpenVZ. In 2008 cgroups were merged into the kernel, and LXC was started to manage them. Docker was started in 2013, k8s in 2014 and podman spun off from it in 2017. v1.0.0 was released in 2019.

podman is an OCI engine, i.e. it does management. The containerisation itself (i.e. OCI runtime) is done by runc. Since these tools follow the OCI specification, docker, podman and others can be used interchangeably.

OCI container image consists of layers packaged in a tar. It is distributed by a registry (with OCI-standardized API).

podman CLI is compatible with docker, alias docker=podman. It is however not compatible with docker swarm (because podman uses k8s as orchestration).

Some basic examples of commands: podman image with shortcuts podman images == podman image list etc. podman image search allows to search for an image in a registry, with filtering e.g. is-official.

podman can manage SELinux constraints. For example, if a volume from a local directory is added with the :Z modifier, the SELinux profiles are set up automatically to allow the container to actually access it.

Pods are group of containers that work together for a common purpose. They are started, stopped, cloned, … together. podman pod manages pods. With podman run --pod, a container is added to a specific pod. Add new to create a new pod.

podman stores container in the user’s home directory rather than in a central place, so you don’t need to be root to use it. There is no central daemon. This increases the security a lot. There’s a helper project Udica to help managing SELinux profiles. It uses capabilities to limit what root can do inside the container. podman drops many syscalls with seccomp by default, they have to be turned on explicitly if they’re needed.

buildah is a helper tool to help in the creation of images.

skopeo is a tool to manipulate registries and images, e.g. mirroring, inspecting.

kubernetes creates containers, pods and volumes based on a YAML file. You can use podman import to use it, and podman export to generate it based on a started container.

On MacOS and Windows, podman will create a VM instead of container. This feature can also be used on Linux. It uses CoreOS.

podman desktop is a GUI for podman.