PODMAN vs DOCKER - should you switch now?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

if you thought docker would be the only option to run containerized applications well here is an alternative that is called portman which claims to be more secure and more lightweight than docker so let's have a look hi everybody my name is christian and i make tutorials and content for it professionals i also stream a lot on youtube and twitch where i do some live q and a's or live coding and hacking sessions so if you want to see that just jump into my live streams it's always a lot of fun so let's talk about docker versus sportman because docker has really changed the way how we developed and maintain applications and it has made containerization very very popular but it's not the only way of running containers in fact linux containers are defined in a standard way and docker is just one implementation of running these containers portman is a nice open source tool that was originally developed by redhead engineers and that tries to replace docker completely but what is wrong with docker why do we actually need to replace it well one thing that always was some kind of concerning is that docker relies on a daemon that is running in the background of your system so whenever you are accessing the docker cli or the docker api to run and manage containers you're always communicating with that demon that is running in the background so portman instead doesn't have that daemon instead it's a tool that is written in go and if you execute something on department cli it just executes those commands and run those containers directly on the system and that has two major benefits over docker the first one is that it doesn't rely on a single point of failure like the docker daemon which is running in the background and managing all these processes and the second one is that you can run containers completely rootless so the problem with the docker daemon is that it's running in the background with root privileges and whenever you want to give someone access to the docker cli by adding the user to the docker group or you are exposing the docker api or the docker socket to any other containers that means giving these people access and root privileges on your server and of course this has some valid security concerns but before we clarify the question if you know should be worried and immediately stop running darker containers and switch to podman let's have a look how it works to get more information about podman you should go to the official homepage podman.io which is a good starting point and you will find some news in form of blog posts as well here it has some nice introduction documents where you can read about podman what it is how it works check out the command reference and also find some great tutorials about the setup and usage of podman so when you go to the getting started section you'll find installation instructions for windows mac os and of course many different linux distros so in my example i'll use an ubuntu server to test podman and you can see if you're running ubuntu 20.10 you simply can't just execute a sudo apt install portman but in my case because i often use the long term support versions of ubuntu 20.04 i need to execute the commands below that will add the recommended package sources so i can just go and copy all these commands and paste them into the cli so this will now take a long time as this is a fresh new server that needs to update some packages but once this is finished i can now just then execute a sudo apt-installed portman that will then install the apartment in all necessary tools that are needed to run those containers the installation is finished you can then execute the portman command and first let's check out the help to see how the command structure works and if you're familiar with the docker cli you probably will notice that it has nearly exactly the same command structure like the docker command department devs have basically used the same cli commands like in docker because they wanted to make the transition for people easy and simple without the need to learn new commands in fact they even mention it on their homepage that you inferior simply could just create an alias command for portman that is called docker however i wouldn't do that myself because it would just confuse me to show you that portman does nearly the same like docker let's try to run the docker hello dashboard container then you can see it also pulls down exactly the same images from docker dot io registry and when you run the hello world container you can even see the message hello from docker so if we execute apartment ps we would see all containers that are currently running and because the hello world container has exited already we only see it when executing the portman ps double dash all command you can also just remove the container with the portman rm command so you can see when you know about docker you don't need to learn anything new you can just use it the same way which i think is really really nice so let me also show you something different as you probably have noticed i've not used the sudo command to run any containers and that's the advantage however there are some conditions where you might need root privileges for example let's try to run an engine x container and expose the http port 80. so it pulls down the image as usual from the docker hub but then it says rootless cannot expose privileged port 80 and that's because in the sysctl.conf it is described that all parts below 1024 are privileged ports where we need root users permission to expose it so well you could now just run the apartment command as sudo but we usually don't want to do that so you might need to edit the ctl.conf to remove the privileged parts or simply just expose another part that is higher than 1024 so let's edit the command and expose support 8080. you can see now the container is running and when we execute the apartment ps we can also see that our container is there and if you execute a ps aux and grab for the nginx process you can see that the process is currently running but as my current user vagrant if you would do the same in docker you could see that the process is always running as root and this is exactly one of the security concerns the developers of portman have about the docker demon so does that now mean that portman is more secure than docker yes it is but you still need to decide for yourself whenever you should just stop using docker and replace it by portman so don't just listen to anyone telling you this in youtube video just go out read the documentation and make your own research and make your own decision i can just tell you my personal opinion and this is although podman has some benefits over docker i still want to use some tools like portainer or watchtower that are built around the docker implementation because it just makes management and maintaining of containers so much easier by the way if you want to learn more about portena which is a nice and clean web ui to manage all your darker containers and watchtower which is able to automatically update all these containers just have a look at my two videos about that i've put your link in the video description below and for me personally it's better to run docker having those features available and just do my best to secure my server and the environment and to follow the best practices then switch to podman and not having these features so following the best practices to secure your server obviously means don't give someone access to the docker group although you know that you would give someone root privileges on your server don't expose the docker api to any external network and don't mount the docker socket to any containers from untrusted sources and therefore i think podman is not going to replace docker completely soon however at some point we probably should ask ourselves if we could not switch to other management and utility tools that are developed around the portman implementation we see something similar with a cockpit web ui which has dropped docker support but has implemented a nice and clean web ui to manage and run containers with apartment implementation however that still is lacking some features compared with portena however i think it's good to have some alternatives and you can make a decision on your own whenever you want to switch to potman i will definitely follow this project because it's really nice and i hope it gets more popular in the future so that other developers are creating some awesome tools around the apartment implementation so i hope this video helped you to learn about portman and make a decision on your own and if you enjoyed this video then please don't forget to hit the like button and subscribe to this channel if you want to see more tutorials for it professionals and if you have any questions or things you want to discuss just jump into one of my live streams or join our awesome discord community we have a very great and friendly and respectful discord community so just check it out before i go i also want to give a quick shout out to all my supporters on patreon especially mason who is the producer of the show and if you want to support my mission to help as many people as possible to jump in the field of i.t and become active professionals then you can just support me on patreon so thanks everybody for watching enjoy the rest of your day take care of yourself and i hope i see you soon

Info

Channel: The Digital Life

Views: 13,930

Rating: 4.968442 out of 5

Keywords: podman vs docker, podman vs docker 2020, podman vs docker commands, podman vs docker difference, podman vs docker networking, podman vs docker performance, podman vs docker security, docker, podman, docker security, docker tutorial, docker vs podman, podman containers, podman pod, podman tutorial, open source, red hat

Id: jzd0YoqBJjc

Channel Id: undefined

Length: 9min 31sec (571 seconds)

Published: Sun Jan 31 2021