podman

Podman: A tool for managing OCI containers and pods.

Go apache-2.0 24216 https://podman.io 2024-12-23T10:36:10Z

Podman (the POD manager) is an [open source](https://www.redhat.com/en/topics/open-source/what-is-open-source) tool for developing, managing, and running containers on your [Linux®](https://www.redhat.com/en/topics/linux/what-is-linux) systems. Originally developed by Red Hat® engineers along with the open source community, Podman manages the entire [container](https://www.redhat.com/en/topics/containers) ecosystem using the libpod library.  Podman’s daemonless and inclusive architecture makes it a more secure and accessible option for container management, and its accompanying tools and features, such as [Buildah](https://www.redhat.com/en/topics/containers/what-is-buildah) and [Skopeo](https://www.redhat.com/en/topics/containers/what-is-skopeo), allow developers to customize their container environments to best suit their needs.  ## What makes Podman different from other container engines? Podman stands out from other container engines because it is daemonless. Daemons are processes that run in the background of your system to do the heavy lifting of running containers without a user interface. Think of daemons as the intermediary communicating between the user and the container itself.  While daemons can be a convenient way to manage your container environment, they can also introduce security vulnerabilities. Many daemons run with [root privileges](https://www.redhat.com/en/blog/understanding-root-inside-and-outside-container). In Linux systems, the root account acts as a superuser with administrative access (while also bypassing the need for admin verification) to read files, install programs, edit applications, and more. This makes daemons an ideal target for hackers who want to gain control of your containers and infiltrate the host system.  Podman cuts out the daemon and allows regular users to run containers without interacting with a root-owned daemon, or allows for the use of rootless containers. By going rootless, users can create, run, and manage containers without requiring processes with admin privileges, making your container environment more accessible while reducing security risks. Additionally, Podman launches each container with a [security-enhanced linux](https://www.redhat.com/en/topics/linux/what-is-selinux) (SELinux) label, giving administrators more control over what resources and capabilities are provided to container processes. ## How does Podman manage containers? Users can invoke Podman from the command line to pull containers from a repository and run them. Podman calls the configured container runtime to create the running container.  But without a dedicated daemon, Podman uses [systemd](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/chap-managing_services_with_systemd) — a system and service manager for Linux operating systems — to make updates and keep containers running in the background. By integrating systemd and Podman, you can generate control units for your containers and run them with systemd automatically enabled. Users can manage their own repositories on the system, as well as systemd units to control the automatic starting and management of their own containers. Allowing users to manage their own resources, and their containers running rootlessly, discourages poor practices like making /var/lib/containers world writable or other system management practices that may expose applications to additional security issues. This also ensures that every user has separate sets of containers and images and can use Podman concurrently on the same host without interfering with each other. When users are finished with their work, they can push changes to a common registry to share their image with others. Podman also deploys a [RESTful API](https://www.redhat.com/en/topics/api/what-is-a-rest-api) (REST API) to manage containers. REST stands for REpresentational State Transfer. A REST API is an application programming interface that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services. With the REST API, you can call Podman from platforms such as cURL, Postman, Google's Advanced REST client, and many others.