Why I Ditched Docker for Podman (And You Should Too) Beginnings The author reminisces about early tools like Vagrant and Docker Swarm, praising Docker for revolutionizing application development by providing repeatable, isolated environments. Docker quickly became essential, despite minor annoyances like the persistent dockerd daemon running as root, which consumed resources. However, over time, security vulnerabilities and architecture flaws in Docker raised concerns: CVE-2019-5736: container escape via runc binary overwrite. CVE-2022-0847 "Dirty Pipe": Linux kernel read-only file overwrite. CVE-2022-0492: privilege escalation via cgroups v1. 2024 vulnerabilities in runC and BuildKit. Recent in-the-wild cryptojacking attacks exploiting Docker APIs (2024). This motivated the author to explore alternatives, discovering Podman as a superior solution. Daemonless Architecture Docker relies on dockerd, a root-privileged persistent background service. This daemon is a single point of failure and a security risk if compromised. Podman drops the daemon: containers run as child processes of the client, under user privileges. Security benefits: even if root is gained inside a container, it’s limited to user privileges on the host. Reliability: container crashes don’t take down others since no monolithic daemon controls them. Resource efficiency: no always-on daemon means less memory used (noting macOS Rosetta support is improving). Podman's Key Strengths Systemd Integration: Podman generates proper systemd unit files (podman generate systemd --name my-app), enabling native Linux service management (start/stop, auto-restart, logging). Kubernetes Alignment: native pod support reflects Kubernetes concepts, allowing local multi-container development (podman generate kube) and smoother Kubernetes deployments. Unix Philosophy: Podman specializes in container runtime; image building and registry handling are delegated to other tools like Buildah and Skopeo, fostering the use of best-in-class tools. Migration Experience Switching from Docker to Podman is mostly seamless: Podman CLI is Docker-compatible — aliasing docker=podman lets commands and Dockerfiles continue working. Some differences: Rootless mode restricts privileged ports, which is a security feature encouraging better architecture (reverse proxy). Volume permission quirks due to rootless mode, manageable with proper ownership. Podman offers a Docker-compatible API socket if needed. Complex Docker Compose setups can be transitioned to Kubernetes YAML, aligning local dev with production. Real-World Benefits After 6 Months Improved security by default, no need to verify rootless container configurations constantly. Cleaner resource monitoring. Docker’s ecosystem remains strong, but Podman offers a more secure and system-aligned approach, ideal for new projects or merit-based technical decisions. FastAPI Migration Guide: From Docker to Podman Prerequisites Existing FastAPI app with Dockerfile and requirements. Podman installed: Ubuntu/Debian: sudo apt install podman Fedora/RHEL: sudo dnf install podman macOS: Podman Desktop Windows: recommended use Linux. Step 1: Dockerfile Compatibility Dockerfiles usually work unchanged with Podman (same OCI format). Example FastAPI Dockerfile snippet: Step 2: Build Image Optional alias to ease transition: Step 3: Run Container Development/testing: