So I was wondering why this is the case. The answer is simple and interesting: there are new tools ready to use which create the same OCI compliant container images but using a different concept. The Unix concept, which is that one tool should do one task properly and also easily connect with other tools. The famous Docker daemon is a single point of entry for the client, building images, pushing images and - as you can read in more depth else where - requires root access and thus can be dangerous.
So what are the new tools? First, their is no daemon anymore. There is "buildah" for building, there is "podman" for running and there is "skopeo" for interaction with images and image registries. There is some overlap in the functionality of the tools, but it is not really an overlap: they are just re-using the same libraries. For example you can inspect images with all three tools. And you can use dockerfiles to buid images using buildah.
So I have read and discovered buildah and podman for half a day and afterwards I removed docker from my main system. Yes - that fast. With buildah and podman I don't need docker anymore. One reason is, that I do use containers more and more, but I am not a hardcore user. As I develop in Java, I create containers in my workflows using maven and push them to a local artifactory. I use Jenkins and Ansible for automation. And buildah and podman have implemented a lot of functionality which is exactly the same as in docker: so e.g. a "docker ps" becomes a "podman ps". So for me the switch was easy: "dnf install buildah podman skopeo" - that's all.
Docker laid the ground for the container technology. Now the new tools have re-invented and advanced the idea of containers and images.
The tools add some functionality on top of what docker provides. But again, the result is an OCI compliant image that will run everywhere and using any tool as long as this tool implements the OCI specification. So you can build with buidah and run with docker or you can build with docker and run with podman.
The other reason why I got away from docker so quickly is clearly buildah - the tool to build container images. Buildah is scriptable - it does not use a DSL like docker with the dockerfiles. So you have all freedom to use all tools and features of scripts and languages to build the images.
The next strong point for buildah is, that it creates a working container at the beginning of the process. Docker processes a dockerfile and creates an image in one go and without the possibility to interact. Buildah has this working container which you can interact with and inspect at any moment - it is easier to see what you get. And buildah lets you decide when to write a filesystem layer. This helps in optimizing the build and I believe it's better for developers workflows.
As you probably know, container images are all about cgroups, namespaces and finally the container that is created and runs is just a process running on the host. And it has it's own filesystem. Now during the build process with buildah one can locally mount the container's filesystem. Once mounted you can inspect the filesystem or you can e.g. copy files into it or create folder structures.
All in all with buildah you have more fine grained control over the build process. It feels very natural and the transition from docker to the new tools is straight forward - of course with some learnings on advanced features such as rootless versus rootful containers and their impact on networking or how to use the tools to generate a systemd file to run the container using an init system.
I stop here for the moment. I haven't really looked a lot at "skopeo" - just did some basic checks. I will come back to it later. Have a look at buildah: you can start building in 5 minutes on the console and then you can easily write your first shell script to use buidah to create an image.
Here are some links:
- buildah: buildah.io
- podman: podman.io
- skopeo: github.com/containers/skopeo
- RedHat: Podman and Buildah for Docker Users
Carpe Diem.