Skip to main content

Choosing a Container Runtime

I want to containerize the software or pipeline of my project, but there are multiple containerization technologies. How do I choose one?

Context

There are at least 2 constraints that define your choice:

  • Root access: Docker requires root privileges, which are often restricted in security-sensitive environments, like hospitals and HPC systems.
  • HPC: Docker and Podman use image formats less suited for HPC workloads, where Singularity excels with a format tailored for performance and portability in distributed systems.

If none of these constraints apply to you, docker is generally a safe choice, as it is most widely supported by frameworks and services.

Details

Docker

Docker is the most widely used container management system. It requires root access by default. Docker images follow the OCI standard and are composed of layers which can be reused in other images.

Podman

Podman is a modular daemonless container engine that requires tools like buildah to build containers and skopeo to move container images between different types of storage systems (e.g. copy images between docker.io, quay.io, internal registry or local storage). This modular approach to containerization provides a flexible, lightweight environment with isolated features. It also follows the OCI standard.

More info: https://www.redhat.com/en/topics/containers/what-is-podman

SingularityCE / Apptainer

Singularity is optimized for HPC systems. It does not require root access and uses a different image format (SIF) than the OCI standard used by Docker. The SIF format is a single file containing a SquashFS filesystem which is more appropriate for HPC systems than the layer system used by Docker. It also supports high performance features such as infinband, MPI and graphic accelerators.

In 2017, the Singularity project split into 2 entities:

  • SingularityCE: Maintained by the company Sylabs
  • Apptainer: Joined the Linux foundation and is independent of any company