Containers without Docker (podman, buildah, and skopeo)

While Docker is commonly the standard when it comes to containers, we're starting to see why alternatives like Podman are quickly becoming popular replacements for container-based development. Although Docker has been around for almost 10 years and standardized containerization, Podman has some huge advantages, namely being "daemonless" (not needing systemd or any other service to run in the background). Are there alternatives to Docker? Yes, and let's take a look at how we can get started with Podman, Buildah, and Skopeo.

Introduction

Docker has been an innovator in how developers build and deploy applications, and is a good tool. From building images, pushing/pulling images from registries, and running images, Docker does it all. However, Docker is a huge monolithic application and relies on a heavy daemon, which, if at a point failed, all child processes would become unreachable.

This is what Podman, an open-source daemonless and rootless container engine, was developed with in mind. Podman runs using the runC container runtime process, directly on the Linux kernel, and launches containers and pods as child processes. In addition, it was developed for the Docker developer, with most commands and syntax seamlessly mirroring Docker's. Buildah, an image builder, and Skopeo, the image utility tool, are both complimentary to Podman as well, and extend the range of operations able to be performed.

Due to Docker being such a large tool, we can break it down into a few components, mainly, this includes the container engine, image builder, and image distribution. Instead of relying on Docker, lets take a look at some light-weight replacements that can achieve the same functionality.

Podman

Podman is a daemonless and rootless container engine, allowing you to run, manage, and interact with containers. The commands are the same as Docker due to the standards of the Open Container Initiative (OCI), and you can even alias Docker to Podman (alias docker=podman). While the Docker daemon normally runs as root, a long-standing security concern, Podman can be run in rootless mode. Podman even includes the functionality to orchestrate containers with Kubernetes!

Getting started with Podman

• Firstly, lets install Podman. Based on your runtime, you can use the various installation methods in the documentation. You can even easily use Podman on Mac using brew install podman and Windows using this blog.

$ sudo dnf -y install podman

• Run a httpd container

$ podman run -dt -p 8080:80/tcp docker.io/library/httpdTrying to pull docker.io/library/httpd:latest...Getting image source signaturesCopying blob d6bc17b4451a done

• Check container status

$ podman psCONTAINER ID IMAGE              COMMAND      CREATED     STATUS       PORTS         NAMES5d5f92a59ea3 docker.io/library/httpd:latest httpd-foreground 24 seconds ago Up 25 seconds ago 0.0.0.0:8080->80/tcp happy_beaver

• Access your application! We could simply do a curl command, or access the IP of our application with port 8080 on a browser, and well see our httpd server running.

$ curl localhost:8080<html><body><h1>It works!</h1></body></html>

Buildah

Buildah is a daemonless and rootless image builder tool complimentary to Podman that produces OCI compliant images. Its able to build images from Dockerfile, and can be run directly inside of containers.

Getting started with Buildah

• Lets install Buildah, which can be done by checking the installation documentation. Just like Podman, Buildah is shipped on Fedora 35/36, RHEL 8+, CentOS, OpenSUSE, and Ubuntu, and more.

$ sudo dnf -y install buildah

• Build an image from Dockerfile. While the default command to build any container image is buildah bud -t tag-name . in a directory with a Dockerfile, lets say were working on a Next.js application. Firstly, lets download the bootstrap using npx.

$ npx create-next-app --example with-docker nextjs-docker$ cd next-js docker

• Now, weve got a Next.js application, with a Dockerfile inside ready to build our app. Lets go ahead and build our container image.

$ buildah build -t nextjs-docker .[1/3] STEP 1/5: FROM node:16-alpine AS depsResolved "node" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)Trying to pull docker.io/library/node:16-alpineSuccessfully tagged localhost/nextjs-docker:latest

• Check image status.

$ buildah imagesREPOSITORY        TAG     IMAGE ID   CREATED     SIZElocalhost/nextjs-docker latest   162bee38beb9 8 seconds ago  118 MB

• Run container and check the installation, looks great!

$ podman run -p 3000:3000 nextjs-docker

Skopeo

Skopeo is an image utility tool that complements Podman and Buildah, allowing you to remotely inspect images, copy images between registries, and more. Like the others, it doesnt require a daemon to be running or root privileges, and can work with OCI compatible images.

Getting started with Skopeo

• Lets install Skopeo, which can be done using the installation documentation.

$ sudo dnf -y install skopeo

• Push our image to a remote registry. If we havent already done so, lets upload the image we just built with Buildah to the Docker hub.

$ podman login docker.io$ podman push nextjs-docker docker.io/cedricclyburn/nextjs-docker

• Copy image to a different registry. Recently, Docker Hub rate limits and paid tier changes have encouraged engineers to start using alternative image registries like Quay.io. Lets take our existing image from Docker, and copy it over to Quay.io.

$ skopeo login quay.io$ skopeo copy docker://cedricclyburn/nextjs-docker:latest docker://quay.io/cedric-clyburn/nextjs-docker:latest

• Inspect the image. Skopeo allows us to inspect properties or configuration of an image on remote repositories using skopeo inspect.

$ skopeo inspect docker://quay.io/cedric-clyburn/nextjs-docker{"Name": "quay.io/cedric-clyburn/nextjs-docker","Digest": "sha256:779bf91bd2d407b4db9e7e7035cc77dfbd0f2cbd435067a40f485960d2889ded","RepoTags": \["latest"],"Created": "2022-07-19T18:30:29.872420186Z",

Conclusion

As weve seen, you can use Podman, Buildah, and Skopeo as replacements to the traditional Docker workflow, without the use of a daemon or root privileges. There are plenty of great advantages that result from using these tools, and due to the increase of developer adoption theres only more to come. I believe theres a future for containers without Docker, and Podman (as well as the Buildah and Skopeo family) is a great alternative to work with.

Cedric Clyburn

@cedricclyburn

just released my #Podman blog on @rhdevelopers! Take a look, it's a super dope #Linux tool to finally be "Dockerless" red.ht/2IQ9xdg

22:56 PM - 19 Nov 2020

Note: This content comes from one of my DevNation Tech Talks, and the full presentation + slides can be found here!