DOCKER VS PODMAN: ROOTLESS NETWORKING, BENCHMARKS & RUNTIME SHOWDOWN (2026)
Updated June 2026: This guide has been refreshed for Docker Engine v29.5.3 (June 2026) and Podman v5.8.2 (April 2026). We have updated all benchmarks and architectural details to reflect the stabilization of the
containerdimage store in Docker and the maturation of pasta as the default rootless networking backend in Podman.
Is the “container war” finally over? For years, we’ve debated Docker vs. Podman like it was a sports rivalry—Team Daemon vs. Team Rootless. But as we head into 2026, the conversation has shifted fundamentally. It’s no longer about “which one wins,” but about “which one fits” in a landscape that has become surprisingly specialized.
Who Is This Guide For?
If you are a DevOps engineer deciding on a base for your next CI/CD pipeline, a developer trying to speed up local image builds, or a security architect weighing the risks of the Docker daemon, this comparison is for you. Whether you’re running on a M3 MacBook Air or a cluster of RHEL servers, there is a “correct” choice here.
By the end of this, you’ll know:
- Which runtime wins on raw network throughput in rootless environments.
- How Docker 29’s new storage engine affects your existing workflows.
- Why Podman’s move to SQLite and the
pastabackend changes the “rootless tax” math. - When to skip the big two and go straight for
nerdctlor purecontainerd.
The reality in 2026 is that you shouldn’t just pick one. The most successful engineering teams I talk to use a mix: Docker for local dev, Podman for secure CI pipelines, and containerd for production.
Let’s dive deep into what’s actually new and why you might want to rethink your alias docker=podman strategy.
1. The Developer Experience War: Docker 29 and the containment shift
For a long time, Docker Desktop’s main selling point was “it works on Mac.” Podman Desktop has largely caught up there, so Docker shifted the goalposts. In 2026, Docker isn’t just running containers; it’s trying to manage your AI workflow while unifying its core architecture.
The Containerd Image Store Revolution:
In Docker v29 (v29.5.3 current), the containerd image store has become the default for new installations. This is the biggest architectural change since the introduction of containerd itself.
- Why it’s a big deal: It eliminates the “two worlds” problem where Docker and Kubernetes (CRI) saw images differently. Now, Docker uses the same snapshotter logic as production nodes.
- Performance Gain: This enables native support for Image Streaming (lazy pulling), allowing multi-platform images to be handled with zero overhead.
- The Gotcha (The Upgrade Trap): While the containerd store is the default for new installs in v29.0, if you are upgrading an existing node, Docker Engine will stick to legacy graph drivers (
overlay2). You must manually enable the store indaemon.jsonto move to the new architecture. Note that this requires a minimum API version of 1.44.
Docker Desktop’s AI & Wasm Push:
- Model Runner: You can now pull and serve LLMs (like Llama 3.2 or Gemma 2) as easily as a standard image. It handles the NVIDIA/AMD/Metal driver orchestration automatically.
- Wasm-as-a-Container: While Docker led with
WasmEdgesupport, Docker 29 has stabilized therunwasishim, allowing you to run WebAssembly payloads with a memory footprint a fraction of a typical Alpine container.
Podman Desktop’s Counter:
Podman isn’t sitting still. The Podman AI Lab extension provides a fully open-source alternative. It allows you to run local LLMs using llama.cpp backend with hardware acceleration on Apple Silicon (Metal) and Windows/Linux (Vulkan). The key difference? It’s free, open-source, and runs entirely on your hardware without phoning home.
Verdict: If you want a “batteries included” AI dev environment with a heavy feature set, Docker Desktop wins. If you want a lean, secure, open-source stack that feels more like “native Linux,” Podman Desktop is Finally ready for prime time.
2. The Systemd & Performance Revolution: Podman 5.8
If you run containers on Linux servers (not Kubernetes, just raw servers), this is the most important update of the year. Podman has moved beyond being a “Docker alias” to a distinct, system-aware beast.
Pasta Networking:
In Podman 5.8 (v5.8.2 current), the pasta networking stack is the refined default for rootless containers. Unlike the old slirp4netns which used a slow user-space proxy, pasta maps host sockets directly into the container namespace.
- The Impact: Red Hat documents that pasta is “more efficient than slirp4netns” and has been the default rootless backend since RHEL 9.5. It reflects the host’s actual L4 state directly into the container, eliminating the NAT overhead that bottlenecked slirp4netns.
Performance & CLI Optimization:
Podman 5.8.2 introduces several optimizations for automated workflows. The new --no-session flag for podman exec is a killer for high-concurrency loops; it disables session tracking to prune startup latency on every call.
- Parallel Pulls: The team has significantly optimized concurrent pulls, reducing the “dead air” time when fetching multi-layer images across high-latency links.
SQLite over BoltDB: Podman is finally migrating its internal state store from BoltDB to SQLite. While this sounds like a minor implementation detail, it eliminates database locking issues that used to haunt high-concurrency CI environments. In Podman 5.8.2, this migration is increasingly automated, reducing filesystem corruption risks during abrupt machine reboots.
The Quadlet Standard:
Quadlet is now the mature, recommended way to handle container persistence. Instead of generating systemd units, you write .container files which Quadlet (Podman’s systemd generator) turns into native .service files at boot.
Pro Tip (The “C” Speedup):
In 2026, high-density environments are moving from runc (written in Go) to crun (written in C). Because crun has zero garbage collection overhead and a significantly smaller memory footprint (roughly half of runc per container), it can noticeably reduce per-node runtime overhead in high-pod-density scenarios. Both Docker and Podman support it; but Podman usually defaults to it on Fedora/RHEL derivatives.
3. nerdctl: The Bleeding Edge
Docker is conservative. It has to be; it breaks millions of users if it changes too fast. nerdctl (containerd ctl) is where the future happens first.
Lazy Pulling (Stargz):
Waiting for 2GB images to pull before your app starts is so 2020. nerdctl supports Stargz (Seekable tar.gz). It pulls the image metadata instantly and fetches the actual file chunks on demand as the application tries to read them.
- Result: Containers start in seconds, even if the image is massive.
IPFS Distribution:
This is a niche but fascinating feature. nerdctl natively supports pulling images from IPFS (InterPlanetary File System).
nerdctl run ipfs://bafkreicn...
If you are building decentralized infrastructure or want to avoid reliance on a central registry (Docker Hub down again?), this is a killer feature.
Native WASM:
While Docker relies on shims, nerdctl treats WebAssembly as a first-class runtime via the runwasi
project. You can swap between runc (for Linux containers) and a WASM shim like io.containerd.wasmtime.v1 using the --runtime flag, making it the best tool for hybrid Kubernetes nodes. For a hands-on guide to migrating from Docker to nerdctl, see my nerdctl for Docker refugees walkthrough
.
4. Security & The Rootless Networking Bottleneck
I used to tell every security-conscious client: “Just use Podman. Docker requires root; it’s a security risk.”
Docker Engine 19.03+ introduced rootless mode, which has steadily matured into a production-ready option. It uses user namespacing to map the root user inside the container to a non-privileged user on the host.
However, security-conscious teams know the “rootless tax”: you run a daemon without privileges, but you pay for it in network throughput. Because a non-root user cannot natively route traffic via kernel iptables or create traditional bridges, rootless containers have historically relied on user-space proxies like slirp4netns. This proxy translates TCP/UDP packets into syscalls on the host—creating context-switching overhead that artificially bottlenecks high-throughput applications.
Docker 29.5 changed the game: Since Docker 29.5.0 (May 2026), the default rootless network driver is now gvisor-tap-vsock instead of slirp4netns. This new driver uses a virtual networking stack that performs significantly better than the old user-space proxy. The legacy slirp4netns is no longer even installed via Docker packaging.
In 2026, the landscape of rootless network alternatives has drastically improved. Here’s how the backends compare. Note: slirp4netns and bypass4netns numbers come from published iperf3 benchmarks (arXiv:2402.00365) . Pasta and gvisor-tap-vsock numbers are estimates based on available community data.
| Backend | Throughput (rootless) | Source | Best For |
|---|---|---|---|
| slirp4netns (legacy) | ~570 Mbps | arXiv:2402.00365 | Legacy, compatibility only |
| gvisor-tap-vsock (Docker 29.5+ default) | est. 5-8 Gbps | No published benchmarks yet | General rootless workloads |
| pasta (Podman default) | est. 8-10 Gbps | Red Hat docs — “more efficient than slirp4netns” | General rootless workloads |
| bypass4netns | ~19.7 Gbps | arXiv:2402.00365 | Latency-sensitive databases |
| rootful (baseline) | ~17.9 Gbps | arXiv:2402.00365 | When root is acceptable |
pasta(The New Standard): Replacing legacy SLIRP,pasta(from thepasstproject) reflects your host’s actual L2/L4 config directly into the container namespace instead of performing heavy user-space NAT. It scales significantly better across multiple cores. (See my deep dive into Podman’s pasta upgrade ).bypass4netns(The Speed Demon): For workloads requiring near-native bare-metal speed while running rootless,bypass4netnsuses Seccomp notifications (SECCOMP_IOCTL_NOTIF_ADDFD) to intercept socket calls and graft them directly onto host sockets. In published iperf3 benchmarks , rootless containers with bypass4netns achieved 19.7 Gbps versus 570 Mbps without it — a 34x improvement. Tools likenerdctlnatively integrate it today. For a broader look at rootless container security in 2026, check my rootless container security deep dive .
5. Performance Showdown (2026 Benchmarks)
The numbers below are estimates based on published benchmarks and community testing . Actual results vary by workload, kernel version, and storage backend.
| Metric | Docker (Rootful) | Podman (Rootless w/ pasta) | nerdctl (+ bypass4netns) |
|---|---|---|---|
| Network Throughput | ~17.9 Gbps (rootful baseline) | est. 8-10 Gbps | ~19.7 Gbps |
| Source | arXiv:2402.00365 | Red Hat docs | arXiv:2402.00365 |
The throughput numbers tell the real story. bypass4netns with nerdctl actually outperforms rootful containers (19.7 Gbps vs 17.9 Gbps) by bypassing iptables and bridge overhead entirely. Podman’s pasta offers a strong middle ground — significantly faster than legacy slirp4netns without requiring the Seccomp complexity of bypass4netns.
The 2026 Verdict:
- Podman continues to win on resource efficiency. If you are running 50+ microservices on a single node, the ~100MB saving per engine instance versus the “shim tax” adds up fast.
- nerdctl + bypass4netns is the internal performance king for rootless workloads. If you need the security of rootless but the raw throughput of a database, this is the stack.
- Docker remains the “easiest” for complex builds (thanks to BuildKit), but the gap in rootless networking is almost gone thanks to the native containerd store integration.
6. Migration Guide: Avoiding the “It Works on My Machine” Trap
So you want to switch from Docker to Podman or nerdctl? Here are the 2026 roadblocks to watch for:
The
docker.sockAddiction: Many dev tools (Testcontainers, VS Code Dev Containers) expect to find a socket at/var/run/docker.sock.- Podman Fix:
systemctl enable --now podman.socketand symlink it. Most tools verify this works now, but older scripts might choke. - nerdctl Fix: It doesn’t use a daemon, so no socket. You cannot use tools that rely on the Docker API with nerdctl (unless you run rootlesskit or similar adapters, which gets messy).
- Podman Fix:
DNS Resolution: Docker has an internal DNS server that allows containers to talk to
host.docker.internal. Podman hashost.containers.internal, but the behavior differs slightly depending on if you use thepastaorslirp4netnsnetwork backend. Expect to debug networking for a day.Volume Permissions: In rootless mode (Podman/Docker), users inside the container often map weirdly to users outside. You might mount a volume and find your app can’t write to it because it thinks it’s owned by “nobody.” You’ll need to learn about
uidmapto fix this.
Final Recommendations
The “Mix and Match” Strategy for 2026:
- Local Dev: Use Docker Desktop if you want the AI features and easy UI. Use Podman Desktop if you are on Linux or want a free, open-source stack.
- CI/CD: Use Podman. It’s daemonless model means you don’t need to do scary “Docker-in-Docker” hacks with privileged mode. It just works and is safer.
- Production: Run containerd (managed by your cloud provider’s Kubernetes).
- Debugging Prod: Install nerdctl on your bastion hosts. It gives you the Docker CLI feel but talks directly to the production containerd socket.
The container landscape has evolved from a monolith to a rich ecosystem of specialized tools. Whether you’re optimizing for developer velocity with Docker, locking down security with Podman, or pushing the edge with nerdctl, the power lies in knowing when to use each. Don’t let muscle memory dictate your infrastructure decisions.
Ultimately, 2026 isn’t about finding a single tool to rule them all; it’s about the maturity of the ecosystem. We finally have the luxury of choice. The “container wars” didn’t end with a winner taking all—they ended with us, the engineers, winning the freedom to build infrastructure that is faster, safer, and more efficient than ever before.