Podman - The Container Tool That Doesn't Need Root

Docker Desktop requiring a license for teams over 250 people was the final straw. We needed something that worked the same but didn't cost $21/month per developer. Podman turned out to be exactly that, plus it fixed security issues I didn't even know we had.

No More Daemon Bullshit

Docker's daemon architecture always bugged me. You have this privileged service running as root that manages everything, and if it crashes, all your containers die. I've had the Docker daemon lock up and take down local development environments more times than I care to count.

Podman runs each container as a direct child process of your user session. No daemon, no root privileges unless you explicitly ask for them. When I run podman run nginx, it starts nginx as my user, not as root. If one container segfaults, it doesn't affect anything else.

The security implications are massive. No more /var/run/docker.sock that basically gives any container root access to your entire system. CVE-2019-5736 scared the shit out of everyone running Docker in production - containers could escape and overwrite the host's runc binary. Podman's architecture makes this class of attack much harder.

The Migration Was Actually Easy

I was dreading switching our entire team's workflow, but it took about 30 minutes. Most Docker commands work identically:

• docker run → podman run
• docker build → podman build
• docker ps → podman ps

I just added alias docker=podman to everyone's shell and 90% of our scripts kept working. The remaining 10% were edge cases around networking and volume permissions that we fixed as we found them.

The only real gotcha was rootless containers can't bind to ports below 1024 without configuration. So if you have nginx listening on port 80, you need to either run sysctl net.ipv4.ip_unprivileged_port_start=80 or map to a higher port.

Kubernetes Integration That Actually Works

Docker Compose is fine for simple stuff, but we deploy to Kubernetes. The impedance mismatch between local development and production was always annoying. Podman supports pods natively, so you can group containers locally exactly like they'll run in production.

Better yet, podman generate kube creates valid Kubernetes YAML from your local setup. No more manually translating Docker Compose files or dealing with kompose's quirks. What runs locally can deploy to Kubernetes with minimal changes.

## Create a pod with nginx and redis
podman pod create --name webapp -p 8080:80
podman run --pod webapp --name web nginx
podman run --pod webapp --name cache redis

## Generate production-ready Kubernetes YAML  
podman generate kube webapp > webapp-deployment.yaml

Real World Performance

I'm not going to quote bullshit benchmarks about "22% faster startup" because performance depends entirely on your workload. What I can say is that removing the daemon overhead makes container startup feel snappier, especially in CI where you're spinning up containers constantly.

The memory usage is noticeably lower too. Docker's daemon uses about 100MB just sitting there doing nothing. Podman only uses memory when containers are actually running. For development laptops, this matters.

The real win is in CI/CD. We run containers in GitLab CI and GitHub Actions without needing Docker-in-Docker or special privileges. Rootless containers just work, no daemon socket mounting or security exceptions needed.

This is why Red Hat moved RHEL to Podman by default - it's more secure and doesn't require maintaining a privileged daemon. If you're running enterprise Linux, Podman is probably already installed.

But the real question is how this all works under the hood, and whether the architectural differences actually matter in practice.

The Real Technical Differences That MatterWhen I dug into Podman's architecture, I found some genuinely interesting stuff that goes beyond the marketing bullshit. Here's what actually matters if you're running containers in production.### How Podman Actually Works Under the HoodInstead of a daemon, Podman uses a [fork/exec model](https://github.com/containers/podman/blob/main/docs/source/markdown/podman.1.md) where each container runs as a direct child of your shell session. When you run podman run nginx, it literally forks a process and exec's the container runtime.This means containers show up in your process tree as normal processes. You can kill -9 them, they inherit your user's resource limits, and they die if your terminal session ends (unless you detach them). It's actually elegant once you understand it.The [process model](https://docs.podman.io/en/latest/introduction.html) also means better resource accounting. With Docker, all containers are children of the daemon, so tracking which container is using what resources gets messy. With Podman, each container's resource usage is directly attributable to the process that started it.### Storage and Networking Reality CheckPodman uses the same [OCI runtimes](https://github.com/opencontainers/runc) as Docker (runc/crun), so container performance is basically identical. The "faster startup" claims are mostly about eliminating daemon IPC overhead, which matters if you're spinning up thousands of short-lived containers but is negligible for long-running services.What's more interesting is the [storage](https://docs.podman.io/en/latest/markdown/podman-info.1.html#storage). Podman stores images and containers in your home directory by default (~/.local/share/containers), not in /var/lib/docker. This is great for rootless operation but can be confusing if you're expecting system-wide image sharing.The [networking](https://github.com/containers/netavark) is where things get tricky. Docker uses its own bridge network by default. Podman uses CNI plugins or the newer netavark, depending on your setup. This means some networking edge cases behave differently:bash# This works in Docker but might fail in Podman rootlesspodman run -p 80:80 nginx # Can't bind to privileged ports# Need to either configure unprivileged ports or use higher portspodman run -p 8080:80 nginx # This works fine### The systemd Integration Nobody Talks AboutHere's something Docker can't do: [native systemd integration](https://docs.podman.io/en/latest/markdown/podman-generate-systemd.1.html). You can generate systemd service files directly from your containers:bash# Run a containerpodman run -d --name web nginx# Generate a systemd service filepodman generate systemd --name web > /etc/systemd/system/web.service# Now it's a proper system servicesystemctl enable web.servicesystemctl start web.serviceThis is huge for production deployments. Instead of managing containers through Docker daemon, they become first-class systemd services with proper dependency management, automatic restarts, and integration with the init system.[Quadlet](https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html) in Podman 4.4+ makes this even better. You can write .container files that look like systemd units, and systemd will automatically manage the containers for you.### macOS and Windows: The Virtualization RealityOn macOS and Windows, Podman runs in a [Linux VM](https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md) just like Docker Desktop. The difference is Podman Machine uses [QEMU](https://www.qemu.org/) with [Apple's Hypervisor framework](https://developer.apple.com/documentation/hypervisor) on newer Macs, which is actually faster than Docker Desktop's implementation in some cases.The file mounting performance was trash in early versions but got much better with [virtiofs](https://virtio-fs.gitlab.io/) support. It's still not native Linux performance, but it's acceptable for development work.One annoying thing: Podman machine VMs don't automatically start on boot by default. You need to run podman machine start manually or set up your own startup script. Docker Desktop handles this automatically.### Security Model Deep DiveThe [rootless containers](https://rootlesscontaine.rs/) thing isn't just marketing. Podman containers run in your user namespace with [user namespaces](https://man7.org/linux/man-pages/man7/user_namespaces.7.html) enabled by default. This means even if a container breaks out, it's still trapped in your user's permission context.The [SELinux integration](https://github.com/containers/container-selinux) is automatic when available. On RHEL/Fedora systems, containers get proper SELinux contexts without any configuration. Docker supports this too, but you have to enable it manually.What's really nice is [secrets management](https://docs.podman.io/en/latest/markdown/podman-secret.1.html). Podman has built-in secrets support that integrates with systemd and doesn't require running additional services:bash# Create a secretecho "mysecret" | podman secret create db_password -# Use it in a containerpodman run --secret db_password mysql### The Container Registry StoryBoth Docker and Podman can pull from any [OCI-compliant registry](https://github.com/opencontainers/distribution-spec), but Podman's [multiple registry support](https://github.com/containers/image) is more flexible. You can configure fallback registries, authentication for different registries, and even [mirror configurations](https://docs.podman.io/en/latest/markdown/podman-system-service.1.html#registries-configuration) without editing daemon configs.The [Skopeo](https://github.com/containers/skopeo) integration is clutch for CI/CD. You can copy images between registries, inspect remote images without pulling them, and do other registry operations that would require pulling images with Docker.