←back to thread

I ditched Docker for Podman

(codesmash.dev)
1101 points codesmash | 5 comments | 05 Sep 25 11:56 UTC | HN request time: 1.06s | source
Show context
Tajnymag ◴[05 Sep 25 12:23 UTC] No.45137696[source]
I've wanted to migrate multiple times. Unfortunately, it failed on multiple places.

Firstly, podman had a much worse performance compared to docker on my small cloud vps. Can't really go into details though.

Secondly, the development ecosystem isn't really fully there yet. Many tools utilizing Docker via its socket, fail to work reliably with podman. Either because the API differs or because of permission limitations. Sure, the tools could probably work around those limitations, but they haven't and podman isn't a direct 1:1 drop in replacement.

replies(3): >>45137765 #>>45137786 #>>45138642 #
bonzini ◴[05 Sep 25 12:34 UTC] No.45137786[source]
> podman had a much worse performance compared to docker on my small cloud vps. Can't really go into details though.

Are you using rootless podman? Then network redirection is done using user more networking, which has two modes: slirp4netns is very slow, pasta is the newer and good one.

Docker is always set up from the privileged daemon; if you're running podman from the root user there should be no difference.

replies(1): >>45138205 #
Tajnymag ◴[05 Sep 25 13:17 UTC] No.45138205[source]
Well, yes, but rootless is basically the main selling point of podman. Once you start using daemons and privileged containers, you can just keep using docker.
replies(1): >>45139084 #
bonzini ◴[05 Sep 25 14:34 UTC] No.45139084[source]
No, the main selling point is daemonless. For example, you put podman in a systemd unit and you can stop/start with systemctl without an external point of failure.

Comparing root docker with rootless podman performance is apples to oranges. However, even for rootless pasta does have good performance.

replies(1): >>45139849 #
1. curt15 ◴[05 Sep 25 15:40 UTC] No.45139849[source]
Some tools talk to docker not using the docker CLI but directly through its REST API. Podman also exposes a similar REST API[1]. Is Podman with its API server switched on substantially different from the docker daemon?

[1]. https://docs.podman.io/en/latest/markdown/podman-system-serv...

replies(2): >>45143003 #>>45146950 #
2. bonzini ◴[05 Sep 25 20:05 UTC] No.45143003[source]
Yes because the API server is stateless, unlike the docker daemon. If you kill it you can still operate on containers, images, etc. by other means, whereas if you kill the docker daemon the CLI stops working too.
3. xylophile ◴[06 Sep 25 05:56 UTC] No.45146950[source]
Docker daemon runs as root, and runs continuously.

If you're running rootless Podman containers then the Podman API is only running with user privileges. And, because Podman uses socket activation, it only runs when something is actively talking to it.

replies(1): >>45147175 #
4. eriksjolund ◴[06 Sep 25 06:46 UTC] No.45147175[source]
Sometimes it's possible to not use the Podman API at all. Convert the compose file to quadlet files with the command-line tool podlet and start the container with "systemctl --user start myapp.service". Due to the fork/exec architecture of podman, the container can then be started without using the Podman API.
replies(1): >>45147295 #
5. bonzini ◴[06 Sep 25 07:18 UTC] No.45147295{3}[source]
Yes, either quadlet or handwritten podman CLI in .service files is the way to go. I don't like using generate-systemd because it hides the actual configuration of the container, I see no point in being stateful...