PodMan: Daemon‑less Container Engine Overview
Key Points
- Containers package an app with its runtime and dependencies so it can run consistently across development, QA, and production environments, eliminating “it works on my machine” problems.
- PodMan is an open‑source container engine that lets you build, manage, and deploy containers without needing a separate background service.
- Unlike Docker’s client/server model that relies on a root‑owned daemon, PodMan uses a lightweight fork‑exec architecture, running commands directly in the user’s process space.
- This daemon‑less design enables root‑less operation and tighter integration with existing Linux security mechanisms, making PodMan a more secure and efficient alternative for container workflows.
- Red Hat’s developer advocate Cedric Clyburn demonstrates how to get started with PodMan, highlighting its ease of use and the benefits of its unique architecture for modern hybrid‑cloud deployments.
Sections
- Untitled Section
- Podman vs Docker: Daemon‑less Rootless Security - The speaker explains how Docker’s central daemon creates a single point of failure and runs as root, while Podman’s daemon‑less, root‑less design lets containers run as a regular user, reducing security risks.
- Using PodMan with Kubernetes - The speaker explains how PodMan’s single‑host networking enables containers to communicate, demonstrates using an Nginx reverse‑proxy container, and shows exporting manifests directly to a Minikube cluster, highlighting PodMan’s security, efficiency, and deployment benefits.
Full Transcript
# PodMan: Daemon‑less Container Engine Overview **Source:** [https://www.youtube.com/watch?v=5WML8gX2F1c](https://www.youtube.com/watch?v=5WML8gX2F1c) **Duration:** 00:07:24 ## Summary - Containers package an app with its runtime and dependencies so it can run consistently across development, QA, and production environments, eliminating “it works on my machine” problems. - PodMan is an open‑source container engine that lets you build, manage, and deploy containers without needing a separate background service. - Unlike Docker’s client/server model that relies on a root‑owned daemon, PodMan uses a lightweight fork‑exec architecture, running commands directly in the user’s process space. - This daemon‑less design enables root‑less operation and tighter integration with existing Linux security mechanisms, making PodMan a more secure and efficient alternative for container workflows. - Red Hat’s developer advocate Cedric Clyburn demonstrates how to get started with PodMan, highlighting its ease of use and the benefits of its unique architecture for modern hybrid‑cloud deployments. ## Sections - [00:00:00](https://www.youtube.com/watch?v=5WML8gX2F1c&t=0s) **Untitled Section** - - [00:03:12](https://www.youtube.com/watch?v=5WML8gX2F1c&t=192s) **Podman vs Docker: Daemon‑less Rootless Security** - The speaker explains how Docker’s central daemon creates a single point of failure and runs as root, while Podman’s daemon‑less, root‑less design lets containers run as a regular user, reducing security risks. - [00:06:17](https://www.youtube.com/watch?v=5WML8gX2F1c&t=377s) **Using PodMan with Kubernetes** - The speaker explains how PodMan’s single‑host networking enables containers to communicate, demonstrates using an Nginx reverse‑proxy container, and shows exporting manifests directly to a Minikube cluster, highlighting PodMan’s security, efficiency, and deployment benefits. ## Full Transcript
Are you looking for a secure and efficient way to manage your containers?
Or maybe you've already heard of PodMan as a Docker alternative, and you're looking to learn more.
Well, your search ends here.
Today, we're going to be doing a deep dive into what PodMan is as a container engine.
Now, my name is Cedric Clyburn. I'm a developer advocate at Red Hat.
And the IBM folks have graciously allowed me to come in today to introduce PodMan and show you not only what PodMan is,
but how it works and how to get started.
So really quickly, before we dive into what PodMan is, let's quickly talk about why containers are so crucial
and set up the scene for PodMan.
Now let's say we're a developer and we just finished developing our application.
Let's say maybe it's a Java app or could be Node or it could be Python, whatever it may be.
Now say we want to run it on another developer's computer or maybe run it in the cloud.
How do we take this application along with its code base, its runtime,
maybe it's using the JDK and its libraries
and ensure that this is compatible on maybe another developer's machine
or different environments such as QA, development and prod.
Well, this is where containerization comes in effectively encapsulating your entire application
into one single transferable unit that can run the same way anywhere you want to deploy it.
So say it's our colleague's computer.
We can run it over there, or we can take our same application
and run it anywhere on a server in the hybrid cloud.
This effectively gets rid of the “oh, it works on my machine” issue
that we has developers face way too often.
Now this is where PodMan comes in.
So PodMan is a container engine.
It's an open source project that helps us with developing containers.
It helps us with managing both the containers and the images, and it helps us to deploy containers.
So it's a super powerful tool and it has two unique features about it that make it different from other container engines.
Firstly, is its daemon-less approach.
Now if we look at another popular container engine such as Docker,
what will notice is that when we're working with the Docker CLI
on our terminal or maybe using Docker desktop, what's actually happening
is we're doing functions such as building an image or running a container.
And what we're actually doing is talking to something in the background called the Docker Daemon.
Now what is the Docker daemon?
Well, it's commonly referred to as the Docker engine, and it's responsible for all the heavy lifting.
So it'll create containers for us, it'll help us build images, and it will do a lot of other functions,
but it's running in the background as a system process and it's running as root.
So we have this daemon that's responsible for all the heavy lifting.
This is what's known as a client/server architecture.
Now PodMan is a little bit different in its architecture.
PodMan uses something known as the fork exec model.
So instead of having this background daemon process running in the background to create containers, work with images.
Now we're doing everything from the client itself.
So when we're creating a container, PodMan is actually forking itself and this child process then becomes the container.
So this difference in architecture makes PodMan unique
and makes it more efficient, lightweight and secure when it comes to container engines.
Now, this also brings us to the point of something called a single point of failure.
Say, for example, that our Docker engine running in the background would suddenly crash, become unresponsive or be quit.
Now we no longer have access to the containers, images and anything else that's attached to the Docker engine.
So this is what makes PodMan unique is its daemon-less approach.
But because of this architecture, this brings us into the root versus rootless idea.
So say we're having an application running on our computer.
So say we're running it as root.
Of course, that's going to bring in several security implications.
Say there's a vulnerability, like we commonly see with a lot of applications nowadays.
If that was to be exploited and taken advantage of by a hacker,
now the application could go rogue and our entire system is at risk.
But say we had the same application and we're running it not as root, just as a regular user.
Well, we have the same vulnerability.
However, if a hacker were to exploit this vulnerability,
the container, the application is only running as a non root user,
so only our user could be affected.
This effectively adds another level of security as a container engine
and is the difference between the approaches of Docker,
where the Docker engine is running in the background as root and PodMan, with its root-less approach
and daemon-less approach, allows you to run by default containers just as a user and not as root.
Now you'll notice some similarities when we drew the architecture of Docker and PodMan.
This is because they're both based on something called the OCI,
which is the Open Container Initiative, which has some standards for how we work with container technologies.
This means that if you're coming from Docker and you're using PodMan, a lot of the commands such as pulling, pushing and building are the same.
So let's go down here and actually check this out with some of the PodMan commands that we would use on a day-to-day basis.
So say we want to pull the container down from a registry.
So say we have the Nginx container right here.
We would do “podman pull"
and then give the name of the image that we want to pull down.
So for this one, we can do Nginx.
Now we're pulling from our default Docker hub or k8s.io registry.
We're pulling down this image.
Now that we've got this image in our local registry., now we can run it with “podman run".
And of course we can add any flags here that we'd like to, to expose ports, to mount volumes, whatever it might be.
So we'll also call the Nginx image right there.
Now that we have a running container on our system.
To list it, and then the other active containers, we can do “podman ps” and this will list any active containers.
Now this is just a small subset of the PodMan commands that we use on a day-to-day basis.
And you'll notice it's very similar to Docker if you have Docker experience, but PodMan doesn't just stop at the commands.
PodMan goes a step further with something known as PodMan pods.
So much like Kubernetes pods, a pod is a group of one
or more containers that share the same volume and the same network.
So think of it as a single host network where both of the containers can talk to each other with seamless networking.
Now let's say we have our job application here that we've been working on.
This could be a back end for our application and we can use this Nginx image that we pull down earlier
as a Nginx container working as a reverse proxy to route the traffic.
Now with PodMan, we can run this pod and additionally we can export the manifest to our cluster.
So if we're learning Kubernetes and we're using, say, minikube,
we can export this directly to our cluster.
So PodMan can be super helpful with learning Kubernetes.
So to recap everything -- in this fast changing world
of containerization and microservices, PodMan is a robust container engine that helps with security,
with efficiency, and with seamless deployment of your containerized applications.
So thanks so much for watching. My name is Cedric Clyburn.
Stay tuned to the channel for more lightboard videos and have a great day.
Thanks for watching this video as always.
Don't forget to like and subscribe and we'll see you in the next one.