Containers without Docker (podman, buildah, and skopeo)

cedricclyburn

Cedric Clyburn

Posted on July 19, 2022

Containers without Docker (podman, buildah, and skopeo)

While Docker is commonly the standard when it comes to containers, we're starting to see why alternatives like Podman are quickly becoming popular replacements for container-based development. Although Docker has been around for almost 10 years and standardized containerization, Podman has some huge advantages, namely being "daemonless" (not needing systemd or any other service to run in the background). Are there alternatives to Docker? Yes, and let's take a look at how we can get started with Podman, Buildah, and Skopeo.

Introduction

Docker has been an innovator in how developers build and deploy applications, and is a good tool. From building images, pushing/pulling images from registries, and running images, Docker does it all. However, Docker is a huge monolithic application and relies on a heavy daemon, which, if at a point failed, all child processes would become unreachable. 

Differences between the architecture of Docker and Podman

This is what Podman, an open-source daemonless and rootless container engine, was developed with in mind. Podman runs using the runC container runtime process, directly on the Linux kernel, and launches containers and pods as child processes. In addition, it was developed for the Docker developer, with most commands and syntax seamlessly mirroring Docker's. Buildah, an image builder, and Skopeo, the image utility tool, are both complimentary to Podman as well, and extend the range of operations able to be performed.

Due to Docker being such a large tool, we can break it down into a few components, mainly, this includes the container engine, image builder, and image distribution. Instead of relying on Docker, let’s take a look at some light-weight replacements that can achieve the same functionality.

Podman

Podman logo

Podman is a daemonless and rootless container engine, allowing you to run, manage, and interact with containers. The commands are the same as Docker due to the standards of the Open Container Initiative (OCI), and you can even alias Docker to Podman (alias docker=podman). While the Docker daemon normally runs as root, a long-standing security concern, Podman can be run in rootless mode. Podman even includes the functionality to orchestrate containers with Kubernetes!

Getting started with Podman

  • Firstly, let’s install Podman. Based on your runtime, you can use the various installation methods in the documentation. You can even easily use Podman on Mac using brew install podman and Windows using this blog.


$ sudo dnf -y install podman


Enter fullscreen mode Exit fullscreen mode
  • Run a httpd container


$ podman run -dt -p 8080:80/tcp docker.io/library/httpd

Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob d6bc17b4451a done 
…


Enter fullscreen mode Exit fullscreen mode
  • Check container status


$ podman ps

CONTAINER ID  IMAGE                           COMMAND           CREATED         STATUS             PORTS                 NAMES

5d5f92a59ea3  docker.io/library/httpd:latest  httpd-foreground  24 seconds ago  Up 25 seconds ago  0.0.0.0:8080->80/tcp  happy_beaver


Enter fullscreen mode Exit fullscreen mode
  • Access your application! We could simply do a curl command, or access the IP of our application with port 8080 on a browser, and we’ll see our httpd server running.


$ curl localhost:8080

<html><body><h1>It works!</h1></body></html>


Enter fullscreen mode Exit fullscreen mode

Working webpage using httpd

Buildah

Buildah logo

Buildah is a daemonless and rootless image builder tool complimentary to Podman that produces OCI compliant images. It’s able to build images from Dockerfile, and can be run directly inside of containers.

Getting started with Buildah

  • Let’s install Buildah, which can be done by checking the installation documentation. Just like Podman, Buildah is shipped on Fedora 35/36, RHEL 8+, CentOS, OpenSUSE, and Ubuntu, and more.


$ sudo dnf -y install buildah


Enter fullscreen mode Exit fullscreen mode
  • Build an image from Dockerfile. While the default command to build any container image is buildah bud -t tag-name . in a directory with a Dockerfile, let’s say we’re working on a Next.js application. Firstly, let’s download the bootstrap using npx.


$ npx create-next-app --example with-docker nextjs-docker

$ cd next-js docker


Enter fullscreen mode Exit fullscreen mode
  • Now, we’ve got a Next.js application, with a Dockerfile inside ready to build our app. Let’s go ahead and build our container image.


$ buildah build -t nextjs-docker .

[1/3] STEP 1/5: FROM node:16-alpine AS deps

Resolved "node" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)

Trying to pull docker.io/library/node:16-alpine…

Successfully tagged localhost/nextjs-docker:latest


Enter fullscreen mode Exit fullscreen mode
  • Check image status.


$ buildah images

REPOSITORY               TAG         IMAGE ID      CREATED         SIZE

localhost/nextjs-docker  latest      162bee38beb9  8 seconds ago   118 MB


Enter fullscreen mode Exit fullscreen mode
  • Run container and check the installation, looks great!


$ podman run -p 3000:3000 nextjs-docker


Enter fullscreen mode Exit fullscreen mode

Example of Next.js viewable in browser

Skopeo

Skopeo logo

Skopeo is an image utility tool that complements Podman and Buildah, allowing you to remotely inspect images, copy images between registries, and more. Like the others, it doesn’t require a daemon to be running or root privileges, and can work with OCI compatible images.

Getting started with Skopeo



$ sudo dnf -y install skopeo


Enter fullscreen mode Exit fullscreen mode
  • Push our image to a remote registry. If we haven’t already done so, let’s upload the image we just built with Buildah to the Docker hub.


$ podman login docker.io

$ podman push nextjs-docker docker.io/cedricclyburn/nextjs-docker


Enter fullscreen mode Exit fullscreen mode

View of image in Docker Hub

  • Copy image to a different registry. Recently, Docker Hub rate limits and paid tier changes have encouraged engineers to start using alternative image registries like Quay.io. Let’s take our existing image from Docker, and copy it over to Quay.io.


$ skopeo login quay.io

$ skopeo copy docker://cedricclyburn/nextjs-docker:latest docker://quay.io/cedric-clyburn/nextjs-docker:latest


Enter fullscreen mode Exit fullscreen mode

View of image in Quay.io

  • Inspect the image. Skopeo allows us to inspect properties or configuration of an image on remote repositories using skopeo inspect.


$ skopeo inspect docker://quay.io/cedric-clyburn/nextjs-docker

{

    "Name": "quay.io/cedric-clyburn/nextjs-docker",

    "Digest": "sha256:779bf91bd2d407b4db9e7e7035cc77dfbd0f2cbd435067a40f485960d2889ded",

    "RepoTags": [

        "latest"

    ],

    "Created": "2022-07-19T18:30:29.872420186Z",

Enter fullscreen mode Exit fullscreen mode




Conclusion

As we’ve seen, you can use Podman, Buildah, and Skopeo as replacements to the traditional Docker workflow, without the use of a daemon or root privileges. There are plenty of great advantages that result from using these tools, and due to the increase of developer adoption there’s only more to come. I believe there’s a future for containers without Docker, and Podman (as well as the Buildah and Skopeo family) is a great alternative to work with.

Note: This content comes from one of my DevNation Tech Talks, and the full presentation + slides can be found here!

💖 💪 🙅 🚩
cedricclyburn
Cedric Clyburn

Posted on July 19, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related