ArcLibrary
L1入门L2进阶L3生态

Docker / Podman / containerd

Three container runtimes — who's who, and when to pick which.

DockerPodmancontainerd
核心 · Key Idea

In one line: Docker is the mass-market standard, containerd is the underlying runtime (K8s default), Podman is the daemonless, Docker-CLI-compatible alternative — rootless-friendly. All three are OCI-standard and interoperate.

What it is#

What you type           What actually runs
docker run …  →  dockerd → containerd → runc → container process
podman run …  →  podman  →           containers/runc → container process  (no daemon)
crictl run …  →  containerd / CRI-O → runc                                (K8s-side)

runc is the small tool that actually invokes kernel namespace + cgroup syscalls to start the container — every layer above relies on it.

Analogy#

打个比方 · Analogy

runc = the bricklayer; containerd = the foreman — manages workers, scheduling, timing; Docker / Podman = project manager + customer-facing rep — you order at the CLI, they arrange.

Side-by-side#

Docker Desktop / dockerd
Needs a background daemon. Easiest for desktop / beginners.
Podman
No daemon — single command forks the container. `alias docker=podman` is a near-drop-in. Rootless first-class.
containerd
Default runtime for modern K8s (CRI-O too). Day-to-day with `crictl` / `nerdctl`.
K8s perspective
Early K8s used dockershim; 1.24+ removed it — uses containerd / CRI-O directly.

How it works#

Practical notes#

  • CLI compatibility — Podman is nearly 100 % compatible with docker subcommands; replace it directly, no script changes.
  • Rootless default — Podman and modern Docker (rootless mode) let unprivileged users run containers — safer.
  • Native Pod concept — Podman has podman pod; multiple containers share a network — same idea as K8s Pod; podman generate kube exports YAML.
  • K8s no longer needs dockershim — since 1.24, native containerd / CRI-O. Image format is unchanged (OCI), built artifacts remain compatible.
  • Single-host pick: long-running single-host workloads → Podman + systemd quadlets is more "systemd-native" than dockerd.
  • Audit / compliance — daemon-root constraints make Podman easier to certify than Docker.

Easy confusions#

Docker
Background dockerd daemon, root.
Most mature ecosystem.
Podman
Daemonless, rootless by default.
CLI-compatible, Pod-aware.

Further reading#