Ditching Docker: Why Podman’s Rootless, Daemonless Model Wins

The author argues that Docker’s root-privileged daemon is an avoidable risk and operational liability, pointing to notable CVEs and API-abuse incidents. Podman’s daemonless, rootless model improves security, resilience, and system integration while maintaining Docker-like CLI compatibility. A practical FastAPI migration guide shows that moving is straightforward and yields better production operations via systemd, pods, and Kubernetes-aligned tooling.

Key Points

• Docker’s root-privileged, always-on daemon increases attack surface and creates a single point of failure; recent CVEs and API-abuse campaigns underscore the risk.
• Podman’s daemonless, rootless-by-default model reduces host compromise risk, isolates failures, and trims idle resource usage.
• Podman integrates cleanly with Linux operations: systemd unit generation, native pods, and Kubernetes-aligned workflows (generate/play kube).
• Switching is largely seamless: Podman mirrors Docker’s CLI, works with existing Dockerfiles, and can expose a Docker-compatible socket when needed.
• A step-by-step FastAPI guide demonstrates parity (build/run), better production management with systemd, pod-based multi-service setups, and practical fixes for ports, volumes, and legacy tooling.

Sentiment

Mixed and context-dependent: many agree with Podman’s security/systemd advantages on Linux servers, but a sizable group prefers Docker (or Orbstack) for cross‑platform development due to compatibility and DX; no clear consensus to universally ditch Docker.

In Agreement

• Podman’s daemonless, rootless-by-default architecture reduces attack surface and removes the dockerd single point of failure.
• Superior systemd integration (quadlets) enables declarative, durable services without a background daemon and fits well with Linux ops.
• Native pod model and podman generate/play kube align better with Kubernetes and can replace light compose use cases.
• Lower idle resource usage and socket-activated API improve footprint compared to an always-on dockerd.
• Docker Desktop licensing and big-company procurement headaches push teams to Podman or other free tools.
• Rootless networking performance is acceptable with pasta/passt, and SELinux issues are solvable with proper :z/:Z mounts.
• Podman works well in production on Linux (e.g., with GitLab runners, Traefik, reverse proxies) and can avoid Kubernetes for small fleets.

Opposed

• Compose compatibility is incomplete (podman‑compose feature gaps; differences with Docker Compose v2), causing migration friction.
• Rootless networking and GPU/CUDA/WSL2 workflows can be flaky; some report random disconnects or container stops.
• SELinux, subuid/subgid, and volume permission mapping are confusing; defaults differ from Docker and require extra learning.
• Packaging on Ubuntu/Debian lags; official, up-to-date .debs are missing, and docs have rough edges.
• On macOS/Windows, Docker Desktop (or Orbstack) provides a smoother, faster, better-documented DX; Podman has been unreliable for some.
• Docker also supports rootless mode; security claims feel overstated when containers aren’t a full substitute for VM isolation.
• Ecosystem/tooling inertia (docker.sock API clients, devcontainers, CI integrations) still favors Docker; many teams don’t see enough ROI to switch.