Escaping Docker's Daemon Drama with Podman

How a Docker Issue on macOS Led Me to Podman and a Deeper Understanding

Last Thursday, I updated my Mac to macOS to version 15.2. Everything seemed fine until I logged in and was greeted by a rather alarming message:

“⚠️ Malware Blocked: ‘com.docker.vmnetd’ was not opened because it contains malware.”

I clicked "Done", thinking it was just a glitch. But it kept popping up 🫨

After some Googling (you know, doing my job...), I found a new thread on the Docker forum discussing this exact issue. I tried a few suggested fixes (except the workaround. I don't know, I don't trust people 😜), but nothing worked.

Then, I remembered hearing about a Docker alternative called Podman. After tediously shutting down every Docker process and finally uninstalling Docker Desktop, the annoying pop-up was gone. I installed Podman, followed the installation instructions, tweaked some settings to make my Compose files work, and updated my npm scripts from docker blah blah to podman blah blah. And all set! Everything worked just as before.

But something was nagging at me. I realized I don't truly understand how Podman works, and to be honest, I never really understood how Docker works under the hood either. I knew the components and why I needed them, but that was about it.

The first word I encountered in my quest to understand the differences between Docker and Podman was daemonless. I remembered seeing the word "daemon" a lot with Docker and guessed it had something to do with processes, but I never really understood what it meant. So, I decided to dive deeper.

What the Heck is a Daemon? 🥸

A daemon is a background process that runs on your computer, usually without direct user interaction. The daemon (Docker Engine) manages your containers and images, but it runs as root, which can be a security risk.

Podman: Daemonless and Proud 😌

Podman is daemonless. It uses a fork-exec model, meaning it forks itself, and the child process becomes the container. This eliminates the single point of failure that Docker's daemon represents. If Docker’s daemon crashes, you lose access to your containers and images. With Podman, this isn’t a problem.

Root vs. Rootless 🛡️

Podman doesn’t need to run as root, unlike Docker. This means if there's a vulnerability, you're safer because Podman can run containers as a non-root user, reducing the risk of a security breach.

Both Use OCI 🤝

Both Docker and Podman adhere to the Open Container Initiative (OCI) standards. This means they share a common language for pulling, pushing, running, building, and listing containers, making it easy to switch between them.

Podman Pods 🦭

Podman introduces the concept of pods, which are groups of one or more containers that share the same volume and network. This is particularly useful for deploying applications to Kubernetes clusters, where pods are the basic units of deployment.

Docker Swarm vs. Kubernetes with Podman 🎻

Docker Swarm is Docker's native orchestration tool, perfect for simple setups where you want to manage clusters of Docker engines. It offers basic load balancing and manual scaling, but needs a third party tool for monitoring. In contrast, Kubernetes is more robust, ideal for complex applications requiring advanced orchestration capabilities. While Podman does not include an equivalent to Docker Swarm, it integrates perfectly with Kubernetes, leveraging its pod concept for seamless deployment. This integration with Kubernetes ensures that the lack of a native orchestration tool like Swarm is not really a drawback, especially for users looking to harness the full power of Kubernetes.

Docker Compose and Podman 🤹

Docker Compose is a tool for defining and running multi-container Docker applications. With Podman, you can use podman-compose, which allows you to run Docker Compose files with Podman, maintaining compatibility and ease of use across platforms.

All Platforms Welcome 🌈

Both Docker and Podman support various platforms, but Podman’s rootless and daemonless architecture makes it particularly appealing for environments prioritizing security and flexibility. Plus, it seems Podman doesn't trigger any malware alerts when you update your macOS, unlike some other software that shall remain nameless 😜 (looking at you, Docker).

This journey from Docker to Podman taught me a lot about the underlying mechanics of containerization. While Docker remains a robust and popular choice, Podman offers a fresh perspective on security and management, especially for those looking to avoid the pitfalls of daemon dependency.