[TheDong]

Problems having a daemon solves:

1. You need a watchdog process anyways to handle stdout/stderr processing (to not block those pipes), namespace setup and teardown, etc. Why not have 1 daemon, rather than 1 daemon per container?

2. You need root to setup networking and various security controls (seccomp etc). Having a daemon lets an unprivileged user delegate to a privileged daemon. This was especially important in the early days when rootless containers and slipr4netns didn't exist or were immature.

3. You need to avoid contention between two "docker run" commands, such as avoiding downloading the same image twice, or running the same name twice, or so on. In-memory locks are really easy to get right and cheap

4. You need to be able to efficiently gather state for things like "docker ps" etc to work. A daemon lets you cache a lot of information very easily.

5. A daemon lets you provide a clean rest API to other components that want to "exec" or "list containers" or so on. Without a daemon, your API is just "exec this command, use stderr/stdout", which is worse, right? An API also helps immensely with "docker desktop" like stuff, where you want to run a client on the host, and run containers on a linux VM. I guess the daemonless answer there is "exec over ssh", which is slow, and also eww.

So, how does podman solve these? I'll number them the same:

1. Watchdog process per container (N daemons) plus centralized systemd daemon if you want to background a container, or for restarts to actually work.

2. slipr4netns, which is buggy and still less featureful than docker networking. It also just doesn't implement various security features that would require a privileged component to setup, and makes it harder to run root-ful containers.

3. Contention is avoided with an incredibly over-engineered filesystem locking scheme that has had a long history of deadlocks and bugs.

4. Again, the filesystem locking scheme and api. It's slow, can't cache well, and also has a long history of deadlocks

5. The API for podman is uh... "run a daemon" https://docs.podman.io/en/latest/markdown/podman-system-serv... lol. Except how does another app know if you ran the API because it's optional? This makes it so other applications that want to integrate with podman have to say "use podman and also run the podman daemon if you're not, and if you forget we won't auto-detect podman sorry".

In general, podman's answer to all the problems the daemon solves seem materially worse, and more overengineered. Except to the API bit, where their answer is to post all over the place "podman is daemonless", but then to package a daemon, which is just funny.

[WesolyKubeczek]

> Why not have 1 daemon, rather than 1 daemon per container?

Having a daemon per container has this little advantage that if something manages to bring down one of the daemons, it won't bring down the whole shebang.

[amelius]

Also side-channel attacks.

E.g. if one user downloads a container, and then for another user it is already in the cache, this gives the other user information about the first user.

[Fire-Dragon-DoL]

Isn't this pointless, since if the other user has access to docker, they basically have root access to the machine?

[amelius]

I don't think users need to have root access to use Docker.

[Fire-Dragon-DoL]

No, but unless they run in rootless mode, they can mount any directory and write on it as root

[seba_dos1]

They don't, but if you have given them access to Docker then it's just as if you had given them access to root.

[fillest]

Why is watchdog needed at all? There is systemd or any other pid1, stdout/stderr should go to journal without any middleware.