With Docker, I found rootless setup to be a PITA, despite having experience with unprivileged LXC containers. The manager daemon constantly consumed system resources even when no containers were running. Docker upgrades sometimes refused to run my containers until I chased down whatever storage driver problem they introduced in the latest version.
When the most recent upgrade broke my containers yet again, I decided to give Podman a try. Setup was a breeze. There is no management daemon wasting resources. My containers just worked. Even the little cron script I wrote to query Docker for pending image updates just worked with Podman tools.
I think Podman also makes it easy to map host uids to non-root container uids, which ought to help me reduce attack surface. (I haven't actually tried this feature yet.) Last time I checked, Docker did not.
> Even the little cron script I wrote to query Docker for pending image updates just worked with Podman tools
Podman comes with an auto-update flag you can set for containers that uses systemd to do this for you. Takes a bit of reading to get it right but its smooth sailing mostly.
Good to know, but my script is for a different workflow: It checks for updates to remote dependencies of my running custom containers. (For example, when alpine:latest points to something new.) It then prints a message for cron to email to me, noting that it's time to rebuild my custom stuff.
With Docker, I found rootless setup to be a PITA, despite having experience with unprivileged LXC containers. The manager daemon constantly consumed system resources even when no containers were running. Docker upgrades sometimes refused to run my containers until I chased down whatever storage driver problem they introduced in the latest version.
When the most recent upgrade broke my containers yet again, I decided to give Podman a try. Setup was a breeze. There is no management daemon wasting resources. My containers just worked. Even the little cron script I wrote to query Docker for pending image updates just worked with Podman tools.
I think Podman also makes it easy to map host uids to non-root container uids, which ought to help me reduce attack surface. (I haven't actually tried this feature yet.) Last time I checked, Docker did not.
So far, I couldn't be happier.