Containers without Docker (podman, buildah, and skopeo)
Cedric Clyburn
Posted on July 19, 2022
While Docker is commonly the standard when it comes to containers, we're starting to see why alternatives like Podman are quickly becoming popular replacements for container-based development. Although Docker has been around for almost 10 years and standardized containerization, Podman has some huge advantages, namely being "daemonless" (not needing systemd
or any other service to run in the background). Are there alternatives to Docker? Yes, and let's take a look at how we can get started with Podman, Buildah, and Skopeo.
Introduction
Docker has been an innovator in how developers build and deploy applications, and is a good tool. From building images, pushing/pulling images from registries, and running images, Docker does it all. However, Docker is a huge monolithic application and relies on a heavy daemon, which, if at a point failed, all child processes would become unreachable.
This is what Podman, an open-source daemonless and rootless container engine, was developed with in mind. Podman runs using the runC container runtime process, directly on the Linux kernel, and launches containers and pods as child processes. In addition, it was developed for the Docker developer, with most commands and syntax seamlessly mirroring Docker's. Buildah, an image builder, and Skopeo, the image utility tool, are both complimentary to Podman as well, and extend the range of operations able to be performed.
Due to Docker being such a large tool, we can break it down into a few components, mainly, this includes the container engine, image builder, and image distribution. Instead of relying on Docker, let’s take a look at some light-weight replacements that can achieve the same functionality.
Podman
Podman is a daemonless and rootless container engine, allowing you to run, manage, and interact with containers. The commands are the same as Docker due to the standards of the Open Container Initiative (OCI), and you can even alias Docker to Podman (alias docker=podman
). While the Docker daemon normally runs as root, a long-standing security concern, Podman can be run in rootless mode. Podman even includes the functionality to orchestrate containers with Kubernetes!
Getting started with Podman
- Firstly, let’s install Podman. Based on your runtime, you can use the various installation methods in the documentation. You can even easily use Podman on Mac using
brew install podman
and Windows using this blog.
$ sudo dnf -y install podman
- Run a httpd container
$ podman run -dt -p 8080:80/tcp docker.io/library/httpd
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob d6bc17b4451a done
…
- Check container status
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d5f92a59ea3 docker.io/library/httpd:latest httpd-foreground 24 seconds ago Up 25 seconds ago 0.0.0.0:8080->80/tcp happy_beaver
- Access your application! We could simply do a
curl
command, or access the IP of our application with port 8080 on a browser, and we’ll see ourhttpd
server running.
$ curl localhost:8080
<html><body><h1>It works!</h1></body></html>
Buildah
Buildah is a daemonless and rootless image builder tool complimentary to Podman that produces OCI compliant images. It’s able to build images from Dockerfile
, and can be run directly inside of containers.
Getting started with Buildah
- Let’s install Buildah, which can be done by checking the installation documentation. Just like Podman, Buildah is shipped on Fedora 35/36, RHEL 8+, CentOS, OpenSUSE, and Ubuntu, and more.
$ sudo dnf -y install buildah
- Build an image from
Dockerfile
. While the default command to build any container image isbuildah bud -t tag-name .
in a directory with aDockerfile
, let’s say we’re working on a Next.js application. Firstly, let’s download the bootstrap usingnpx
.
$ npx create-next-app --example with-docker nextjs-docker
$ cd next-js docker
- Now, we’ve got a Next.js application, with a Dockerfile inside ready to build our app. Let’s go ahead and build our container image.
$ buildah build -t nextjs-docker .
[1/3] STEP 1/5: FROM node:16-alpine AS deps
Resolved "node" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/node:16-alpine…
Successfully tagged localhost/nextjs-docker:latest
- Check image status.
$ buildah images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/nextjs-docker latest 162bee38beb9 8 seconds ago 118 MB
- Run container and check the installation, looks great!
$ podman run -p 3000:3000 nextjs-docker
Skopeo
Skopeo is an image utility tool that complements Podman and Buildah, allowing you to remotely inspect images, copy images between registries, and more. Like the others, it doesn’t require a daemon to be running or root privileges, and can work with OCI compatible images.
Getting started with Skopeo
- Let’s install Skopeo, which can be done using the installation documentation.
$ sudo dnf -y install skopeo
- Push our image to a remote registry. If we haven’t already done so, let’s upload the image we just built with Buildah to the Docker hub.
$ podman login docker.io
$ podman push nextjs-docker docker.io/cedricclyburn/nextjs-docker
- Copy image to a different registry. Recently, Docker Hub rate limits and paid tier changes have encouraged engineers to start using alternative image registries like Quay.io. Let’s take our existing image from Docker, and copy it over to Quay.io.
$ skopeo login quay.io
$ skopeo copy docker://cedricclyburn/nextjs-docker:latest docker://quay.io/cedric-clyburn/nextjs-docker:latest
- Inspect the image. Skopeo allows us to inspect properties or configuration of an image on remote repositories using
skopeo inspect
.
$ skopeo inspect docker://quay.io/cedric-clyburn/nextjs-docker
{
"Name": "quay.io/cedric-clyburn/nextjs-docker",
"Digest": "sha256:779bf91bd2d407b4db9e7e7035cc77dfbd0f2cbd435067a40f485960d2889ded",
"RepoTags": [
"latest"
],
"Created": "2022-07-19T18:30:29.872420186Z",
…
Conclusion
As we’ve seen, you can use Podman, Buildah, and Skopeo as replacements to the traditional Docker workflow, without the use of a daemon or root privileges. There are plenty of great advantages that result from using these tools, and due to the increase of developer adoption there’s only more to come. I believe there’s a future for containers without Docker, and Podman (as well as the Buildah and Skopeo family) is a great alternative to work with.
Note: This content comes from one of my DevNation Tech Talks, and the full presentation + slides can be found here!
Posted on July 19, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.