Docker made containers approachable, and its build, run, and Compose workflow is still the reference everyone learns first. Two things push people to look elsewhere: Docker Desktop now requires a paid subscription for larger companies, and the classic engine runs through a single daemon as root, which security teams would rather not have sitting on every developer's machine and build host.
The open source tools below build and run the same OCI images from the same Dockerfiles, so your existing workflow mostly carries over. Several run rootless or daemonless, which shrinks the attack surface, and because the whole stack is open you can audit it, self-host your registries, and skip the desktop license entirely.
Vault is a tool for securely accessing secrets such as API keys, passwords, and certificates. It provides a unified interface to secrets, tight access control, detailed audit logs, and encryption as a service for data you need to protect.
Podman is a tool for managing OCI containers and pods. It manages containers and images, volumes mounted into containers, and pods made from groups of containers. It runs containers on Linux and can be used on macOS and Windows through a Podman-managed virtual machine.
containerd is a container runtime daemon for Linux and Windows. It manages the complete container lifecycle on a host system, including image transfer and storage, container execution and supervision, and low-level storage and network attachments. It is designed to be embedded into larger systems rather than used directly by developers or end users.
