Open main menu

Changes

1,361 bytes added ,  23:00, 11 October 2023
add sections for Podman vs Docker; Pod security; Podman Desktop and references
Breaking down your container workloads https://podman-desktop.io/docs/onboarding/containers This documentation for Podman Desktop compares various capabilities for runtimes and OS combinations for your containerization workloads.
<br />
 
== Podman vs Docker ==
Podman runs in a fork-exec model, not a client-server model avoiding the overhead of the [[Docker]] daemon that runs continuously and consumes significant resources. Furthermore Podman runs on the host as the local user, not root so it is fundamentally more secure. Speaking of security, since Podman comes from RedHat, it's no surprise that it runs just fine with SELinux set to "enforce" mode. While Docker offers AppArmor as a security layer, it's too lax by default, you have to learn the syntax, and write your own policies, AND it doesn't work with rootless Docker, nor does it offer isolation between containers <ref>https://www.redhat.com/sysadmin/apparmor-selinux-isolation</ref>.
<br />
 
== Pod security ==
Using [https://github.com/containers/udica Udica], you can generate SELinux policies for your containers.
 
And, the whole "no daemon" model offers many advantages over the Docker daemon model when it comes to security, isolation and auditing.
 
Unlike [[Docker]], Podman respects firewalls by default.
<br />
 
== Podman Desktop ==
Like Docker Desktop, there is a graphical application called '''Podman Desktop''' (https://podman-desktop.io/) that you can use to build, run, and manage your containers, pods, and other objects. It even allows you to work with Kubernetes from your local environment.
{{References}}
[[Category:Virtualization]]