Guide to Migrating from Docker to Podman on Fedora: Safer, More Efficient for Devs – ITFROMZERO

Table of Contents

Introduction: Containerization, A Leap Forward in Software Development

Containers have become a crucial technology in modern software development and operations. They help package applications with everything necessary, ensuring a consistent environment from development machines to production.

Docker is a familiar name, almost the industry standard when it comes to containers. However, on Fedora, there’s another option worth considering, even prioritized: Podman.

I’ve used Fedora as my primary development machine for two years. I’m very satisfied with its package update speed and stability. During that time, I also had the opportunity to try various container technologies, and Podman truly stood out. For Fedora users looking to optimize their development environment, switching to Podman is a logical choice.

This article will explore the differences between Docker and Podman, the benefits of using Podman on Fedora, and most importantly, provide a step-by-step guide for a smooth transition.

Container Runtime: Docker and Podman – Two Different Approaches

Both Docker and Podman allow you to create and manage containers, but their internal architectures differ significantly. Understanding this will help you choose the right tool for your needs.

Docker: Traditional Client-Server Architecture With a Root Daemon

Docker’s architecture uses a daemon (dockerd) running in the background with root privileges. This daemon is responsible for managing everything related to containers: images, networks, and volumes.

When you run the docker run command, you are interacting with the Docker client. This client sends requests to dockerd via the API, and the daemon then handles creating and running the container.

# Docker's architecture
+-----------------------+
|    Docker Client      |
| (e.g., docker run)    |
+-----------+-----------+
            |
            |  API Calls
            |
+-----------v-----------+
|    Docker Daemon      |
| (runs as root, manages|
|  all containers)      |
+-----------------------+
            |
            | Container Operations
            |
+-----------v-----------+
|  Container Runtime    |
|   (e.g., containerd)  |
+-----------------------+

The fact that dockerd always runs with root privileges offers convenience but poses a significant security risk. If the daemon is compromised, an attacker could gain control over the entire system.

Podman: Daemonless Containers, More Flexible

Podman (POD MANager) is designed with a daemonless philosophy. When you run a container, Podman launches it directly as a child process of your own, without going through a background root service.

# Podman's architecture
+-----------------------+
|    Podman Client      |
| (e.g., podman run)    |
+-----------+-----------+
            |
            |  Direct System Calls
            |
+-----------v-----------+
|   Your User Process   |
| (manages its own pods |
|  and containers)      |
+-----------------------+
            |
            | Container Operations
            |
+-----------v-----------+
|  Container Runtime    |
|   (e.g., runc, crun)  |
+-----------------------+

Each Podman container runs under the privileges of the user who called the command, also known as Rootless Containers. This is a significant security advantage, as it limits the container’s impact to that user’s account.

Interestingly, Podman can use almost identical Docker commands. This makes the transition very easy.

Why Consider Migrating from Docker to Podman on Fedora?

While Docker remains an excellent tool, on Fedora, Podman offers significant benefits that you should consider.

Key Advantages of Podman

Superior Security With Rootless Containers: This is Podman’s biggest advantage. Not having a root-running daemon significantly reduces security risks. Containers running under normal user privileges cannot access or damage critical parts of the system if compromised.

Example: If an application within a container is exploited, the attacker only has the same privileges as the current user and cannot escalate privileges to the entire system.
```
# Example of running a rootless container
podman run --rm docker.io/hello-world

# Check user ID inside the container (usually 0, but outside it's your user)
podman run --rm alpine id
# uid=0(root) gid=0(root) groups=0(root)  <-- inside the container
# However, mapped externally, it's your user ID
```
Good Integration With the Linux Ecosystem: Podman is developed by Red Hat, the company behind Fedora. It integrates tightly with core Linux technologies like systemd (service management) and SELinux (enhanced security). This ensures smooth and secure system operation.
Docker Command Compatibility: To help users migrate easily, Podman has a CLI compatible with Docker. Most docker commands can be directly replaced with podman without changes.
More Efficient Resource Management: Podman does not have a continuously running background daemon. It only consumes resources when containers are active. This can save RAM and CPU on your machine when no containers are running.

A Few Disadvantages to Note

Tooling Ecosystem: Docker has a longer history, so it boasts a vast ecosystem of tools and third-party integrations. Docker Compose is particularly popular for defining and running multi-container applications.

However, Podman also has alternative solutions. For example: podman-compose or the ability to generate Kubernetes YAML files from containers.
Small Learning Curve: Despite high command compatibility, a few minor differences still exist. You’ll need to learn how Podman handles networking or volumes with rootless containers. However, overall, the transition process is quite smooth.

Fedora and Podman: A Natural Combination

For me, Fedora’s preference for Podman was a clear signal. As a developer using Fedora, I find this very logical, both enhancing security and optimizing the system.

Since Fedora 31, Podman has replaced Docker as the default container runtime in documentation and recommendations. The podman-docker package is also available to create a docker symlink pointing to podman, making the transition almost seamless.

# Check if the 'docker' symlink points to 'podman' after installing podman-docker
ls -l /usr/bin/docker

This combination goes beyond just security. It also creates a unified ecosystem where tools are designed to work efficiently together on one of the most modern and advanced Linux distributions.

Guide to Migrating from Docker to Podman on Fedora

Now, let’s get started. This process is quite simple, even if you’ve never used Podman before.

Step 1: Check and Remove Docker (If Installed)

If Docker is running on your system, uninstall it to avoid conflicts and free up resources. If you’ve never installed Docker, you can skip this step.

# Stop the Docker daemon
sudo systemctl stop docker

# Disable Docker from starting with the system
sudo systemctl disable docker

# Remove Docker packages
# (Depending on how you installed Docker, packages may vary)
sudo dnf remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

# Delete remaining configurations, images, volumes (OPTIONAL, PROCEED WITH CAUTION)
sudo rm -rf /var/lib/docker
sudo rm -rf /etc/docker

Step 2: Install Podman and Supporting Tools

This is the most important part. Podman is readily available in Fedora’s official repositories, so installation is very easy.

# Install Podman
sudo dnf install podman

# Check the installed Podman version
podman --version

# Install podman-docker to get the 'docker' symlink pointing to 'podman'
# This helps you avoid modifying old scripts or typing habits
sudo dnf install podman-docker

# Check if the 'docker' command now works with Podman
docker --version

# (Optional) If you use Docker Compose, install podman-compose
# It tries to mimic Docker Compose's behavior
sudo dnf install podman-compose

Step 3: Configure Rootless Containers (Important)

To fully leverage Podman’s security benefits, you need to ensure rootless containers work correctly. Podman needs to know which range of virtual UIDs/GIDs your user can use to run containers.

Fedora usually pre-configures /etc/subuid and /etc/subgid for each user. You can check:

grep $(whoami) /etc/subuid /etc/subgid

The output will be similar to:

/etc/subuid:yourusername:100000:65536
/etc/subgid:yourusername:100000:65536

If not present, you can add them manually or re-check your Podman installation.

For your rootless containers to continue running after you log out, you need to enable the linger feature for your user. This feature allows user processes to run in the background even without an active session.

loginctl enable-linger $(whoami)

# You can check the linger status
loginctl show-user $(whoami) | grep Linger
# Output will be: Linger=yes

Finally, initialize or check your Podman environment:

# Initialize user-level storage for Podman (if running for the first time)
podman system migrate

# Check Podman environment information (including rootless status)
podman info --debug

Step 4: Migrate Commands From Docker to Podman

This is the easiest part! Thanks to the podman-docker package, most of your commands will work immediately.

Run Container:
```
# Replace:
docker run -p 8080:80 --name mynginx -d nginx

# With:
podman run -p 8080:80 --name mynginx -d nginx
```
If you have installed podman-docker, you can still type docker run ... and it will automatically be redirected to Podman. Personally, I prefer typing podman for clarity.

Build Image:

# Replace:
docker build -t myapp:latest .

# With:
podman build -t myapp:latest .

Manage Images, Containers, Networks, Volumes: Commands like images, ps, network, volume work similarly.
```
podman ps
podman images
podman network ls
```
Docker Compose (replace with Podman Compose):

If you have a docker-compose.yaml file, you can use podman-compose (after installing it in Step 2).
```
# Replace:
docker-compose up -d

# With:
podman-compose up -d
```
Note: podman-compose is not an official Podman tool and may not be 100% compatible with all complex Docker Compose features. For me, it handles most basic cases well.

Important Considerations When Using Podman

Volumes and Permissions in Rootless Containers

When running rootless containers, the volumes you map into the container will use the current user’s permissions on the host. This means the container cannot arbitrarily write to directories that your user does not have write access to. This is a useful security layer, but sometimes you may need to adjust host permissions if you encounter errors.

Networking and Podman

Podman manages networking for rootless containers a bit differently than default Docker. While it still provides similar features, you might need to learn more about creating and managing custom networks with podman network create and podman network connect if your project has complex networking requirements.

Integration With Systemd: Running Containers as Services

One of Podman’s strengths on Fedora is its deep integration with systemd. You can easily create a systemd unit file to manage containers as regular system services. This is very convenient for applications that need to run continuously or start with the system.

# Run an example container
podman run --name myapp-container -d nginx

# Generate systemd unit files from a running container
podman generate systemd --name myapp-container --new --files
# This command will create 2 files: myapp-container.service and myapp-container-init.service
# They are usually created in the ~/.config/systemd/user/ directory

# Enable and start the service (runs under user privileges)
systemctl --user enable myapp-container.service
systemctl --user start myapp-container.service

# Check status
systemctl --user status myapp-container.service

This way, your container will be managed by systemd, automatically starting when the machine boots or when the user logs in (if linger is enabled).

Replacing Docker Compose With Kubernetes YAML

If podman-compose doesn’t meet your needs, or if you want to get acquainted with Kubernetes, Podman has a very powerful feature: generating Kubernetes YAML files from its Pods and Containers.

# Create a pod containing multiple containers (e.g., web + db)
podman pod create --name mypod -p 80:80
podman run -d --pod mypod --name myweb nginx
podman run -d --pod mypod --name mydb postgres

# Generate Kubernetes YAML file from this pod
podman generate kube mypod > myapp.yaml

# Then, you can use 'podman play kube' to run it again from the YAML file
podman play kube myapp.yaml

This is an excellent bridge to transition from a local development environment to Kubernetes without having to learn too many new tools at once.

Conclusion

Migrating from Docker to Podman on Fedora is more than just a tool change. It’s an upgrade in security and work efficiency, especially with its rootless container architecture and deep system integration.

While there might be a few minor adjustments needed, the high command compatibility and the benefits Podman offers on Fedora are well worth it. I believe that once you get used to it, you’ll find Podman not just a worthy replacement, but also a step forward in security and system integration. Give Podman a try on your Fedora machine, and you’ll see the difference.