Podcast Summary: Software Engineering Daily – Podman with Brent Boddy

Release Date: August 12, 2025

Introduction

In this engaging episode of Software Engineering Daily, host Jordi welcomes Brent Boddy, a Senior Principal Software Engineer at Red Hat, to discuss Podman, an open-source container management tool. Brent delves into the intricacies of Podman, its evolution, and its place within the container ecosystem.

What is Podman?

Brent begins by outlining Podman as an open-source container management tool that empowers developers to build, run, and manage containers. Unlike Docker, Podman supports rootless containers, enhancing security, and maintains full compatibility with the Open Container Initiative (OCI) standards.

“Podman itself runs. It does some of the setup for the container to be able to run. We then call a runtime like Crun to actually run the container.”
— Brent Boddy [10:17]

Open Container Initiative (OCI) Standards

Podman adheres to OCI standards, ensuring interoperability across different container runtimes. Brent explains that OCI provides a “roadmap” or “skeleton” allowing developers to maintain consistency and compatibility within the container ecosystem.

“The OCI standards give us a roadmap, if you will, or a skeleton in which we can provide program and be able to have a standard that will work...”
— Brent Boddy [02:20]

History and Origin of Podman

Podman originated from the CRI-O project, initially named Kpod. It was designed as a local utility for Kubernetes nodes to debug and manage containers. Recognizing its potential beyond a small utility, the team expanded its scope, leading to the creation of Podman (short for Pod Manager).

“...Podman has an interesting origin story... we formed a small team around that, that kind of did some skunk works initially to make sure we were on the right track.”
— Brent Boddy [05:47]

Daemonless Architecture

One of Podman's standout features is its daemonless architecture. Unlike Docker, which relies on a long-running daemon, Podman operates without one, reducing attack vectors and conserving system resources.

“Having a daemon runs and takes up resources even when it's listening. In the case of Podman, when you run it, it doesn't have a daemon.”
— Brent Boddy [08:57]

This design choice enhances security and performance, allowing Podman to be more lightweight and resilient. If the daemon were to fail in Docker, it could be catastrophic; Podman's approach mitigates this risk.

Rootless Containers

Podman’s support for rootless containers is a significant security advantage. Running containers without root privileges minimizes the risk of container escapes and reduces the overall attack surface.

“Our nightmare is container escape. Someone being able to escape the container and get on the host. One way to mitigate that is to ensure they have the minimum amount of privilege possible.”
— Brent Boddy [11:47]

By leveraging Linux kernel features, Podman ensures that containers operate with the least necessary privileges, aligning with best security practices.

Build Process and Integration with Buildah

Podman integrates seamlessly with Buildah, another project within the Containers GitHub organization. Buildah specializes in building container images, and Podman leverages its capabilities to handle complex build tasks.

“Podman build ... pulls in the Builder as a library and we use the exact same code that Builder uses.”
— Brent Boddy [14:03]

This integration allows developers to utilize Podman for both building and managing containers, providing a cohesive workflow.

Challenges in Daemonless Design

Building a daemonless system presented unique challenges, primarily in managing container state and avoiding conflicts without a central authority.

“Dealing with state or dealing with conflict over locking or racing or things like that become they're paramount.”
— Brent Boddy [15:43]

To address these, Podman employs techniques like file locks and shared memory locks, ensuring reliable container lifecycle management without a daemon.

Container Lifecycle

Brent outlines the typical container lifecycle managed by Podman:

1. Identify Image: Choose a container image (e.g., Fedora, Alpine, Ubuntu).
2. Build/Configure: Customize the image by installing necessary applications and configurations.
3. Assemble Run Parameters: Decide how to run the container (background/foreground, security options, networks).
4. Execute with Runtime: Use a runtime like Crun to handle namespaces and container execution.
5. Monitor with Kanmon: A lightweight utility that manages logging, standard I/O, and exec capabilities.
6. Exit Strategy: Handle container exits gracefully, providing exit codes and status.

“...this is not Podman specific. That's in general how containers kind of go.”
— Brent Boddy [20:13]

Kubernetes and Orchestration Integration

Podman excels in generating Kubernetes YAML from running containers, facilitating easy transitions to orchestration platforms. This feature bridges the gap between single-node development and scalable deployments.

“We can generate kubernetes YAML, which is the backbone of how to orchestrate containers on a large scale.”
— Brent Boddy [21:10]

Additionally, Podman complements Kubernetes by allowing seamless scalability and integration with orchestration tools.

Docker Compose Compatibility

Podman offers robust support for Docker Compose, enabling developers to migrate existing Docker Compose workflows with minimal friction. By emulating Docker Compose commands, Podman allows users to leverage their existing scripts and configurations.

“You can take your existing Docker Compose file and Podman will honor that.”
— Brent Boddy [31:52]

Furthermore, Podman provides podman compose, ensuring familiarity for those transitioning from Docker.

Production Usage and Real-World Examples

While specific production use cases remain confidential, Brent highlights Podman's adoption across various sectors, including government agencies, HPC (High-Performance Computing) communities, banking, and financial services. These industries appreciate Podman's security, performance, and flexibility.

“...we have a lot of government agencies using it. HPC community has definitely accepted...”
— Brent Boddy [36:02]

Notably, HPC environments benefit from Podman's ability to handle massive scales and low-latency container operations.

Roadmap and Future Features

Looking ahead, Podman’s roadmap includes:

• Enhanced OCI Support: Expanding OCI artifact support on Mac and Windows.
• Rootless Networking Improvements: Advancing projects like Pasta for better networking.
• Integration with Quadlets: Streamlining container as a service with systemd.
• Optimized Push/Pull Speeds: Implementing partial pulls to reduce network traffic.
• GPU and Alternative Architecture Support: Enhancing compatibility for diverse hardware.

“We see an increased adoption of composefs in particular for edge deployments...”
— Brent Boddy [24:18]

These developments aim to bolster Podman's performance, usability, and integration within diverse environments.

Unique Features and Design Decisions

Brent shares some quirky and unique features of Podman that enhance user experience:

• Run Label: Allows embedding run configurations within OCI image labels, simplifying container execution without extensive command-line options.

  “You can have a label attribute on the OCI image that says this is how I want to run this image.”
  — Brent Boddy [39:12]

• Pods Management: Emphasizing the importance of managing containers in pods, simplifying networking and shared namespaces.

  “People forget that we run pods. And there are advantages to running containers in pods.”
  — Brent Boddy [39:12]

• Podman Desktop Integration: Provides a GUI for managing containers on Mac and Windows, complementing the CLI-based operations.

  “...you can run podman with the CLI just like you would in Linux. You just got to initialize a machine and have it running...”
  — Brent Boddy [22:58]

These features showcase Podman's versatility and user-centric design.

Conclusion

The episode wraps up with Brent expressing enthusiasm for community contributions and the ongoing evolution of Podman within the CNCF ecosystem. He emphasizes the importance of transparency and collaboration in driving Podman's success.

“Nothing makes us happier than someone who files a request for enhancement or an RFP on our issues page describes it and several us comment like, yeah, that's a great idea.”
— Brent Boddy [41:23]

Jordi thanks Brent for his insights, wishing Podman continued success as it matures and gains wider adoption.

Key Takeaways:

• Podman is a robust, daemonless container management tool prioritizing security and performance.
• OCI Standards ensure broad compatibility and interoperability within the container ecosystem.
• Podman’s rootless containers and daemonless architecture offer significant security and resource management advantages.
• Integration with Buildah and support for Docker Compose facilitate seamless workflows for developers.
• Podman is actively evolving with a clear roadmap, robust community support, and growing adoption across diverse industries.

For those keen on exploring Podman, this episode provides a comprehensive overview of its capabilities, design philosophy, and future directions, making it a valuable resource for both newcomers and seasoned professionals in the container space.