I keep reading about podman, yet it doesm’t FEEL as mature to me as docker for a normal user like me. What’s your opinion? Did you already switch or do you keep waiting for … for what? When will you switch?
Podman didnt silently rewrite my firewall rules upon install
10/10 would recommend
I do not even want to know how many databases are openly available because of that shit.
It changes packet routing because you’re asking it to map a container port to the host public interface. How else would that occur? And what would be the point in blocking access to it?
Do you want to write routing rules, and keep track of container interfaces, and to grant access manually, for each and every port you expose?
When i have port 8888 not allowed on my firewall then no other program should ‘open’ that port. If i map a port with the syntax ‘8888:8888’ exaclty that happens with docker. Not with podman.
Also this is the default syntax you will find in any guide and docs there is.
To prevent this happening with docker you will have to specify the localhost with ‘127.0.0.1:8888:8888’
When you check the internet for this subject you will notice that this behavior catches a lot of ppl by surpirise.
Technically I do, maybe? My home server is running ProxMox which virtualizes PFSense. My docker install is on a separate VM, but same physical device. Not sure if that counts lol
Podman is solid, just don’t use podman-compose but rather utilize the Systemd integration for container management.
With very few exceptions, it works just as well as Docker these days.
utilize the Systemd integration for container management.
The systemd integration is probably the thing I dislike most about it. 😆 Systemd has no business managing containers IMO, it should manage podman and podman should manage the containers. It’s a completely gratuitous mix of concerns but it seems that podman is set on becoming a systemd subsystem… so I’ll probably never use it.
On a related note, the systemd expansion is getting ridiculous. It’s gotten to the point if you read one day that wayland is being merged into systemd you wouldn’t even know if it’s a joke.
A container is a service, makes perfect sense for me to manage that via Systemd like all other services.
Sure, anything can be a service if you want it to be hard enough. Like the bootloader.
One of the reasons I use containers instead of installing things directly is that i can completely uninstall a service by deleting a single directory (that contains a compose.yml and any necessary volumes) and running a docker/podman system prune -a
or that i can back up everything by backing up a single “containers” dir, which i could have on a subvolume and snapshot if i wanted to
systemd/quadlet on the other hand makes me throw files in /etc (which is where you’re supposed to put them, but ends up resulting in them being tangled together with base system configuration often partially managed by the package manager)
The Solution™ to this is configuration management like ansible or whatnot, which needlessly overcomplicates things for the use cases i need (though they’re still useful for getting a base system “container ready” wrt ssh hardening and such)
tldr: i want my base system to be separated from my services, and systemd integration is the exact wrong tool for this job
It’s not the “official” way to do it, but you can make systemd run Docker Compose (talking to Podman instead of Docker), which is pretty close to what you’re talking about. And then you don’t have to write stinky systemd INI files for each container.
But you don’t need to have systemd run anything (except docker or podman itself). Just run containers with “restart: always” and docker/podman will start them on boot, restart them of they fail, and leave them alone if they’re manually stopped.
You only need to run compose when you are [re]provisioning a container.
Podman is CLI and API compatible with Docker (except where differences in implementation doesn’t allow it)
Running Podman as root is 99.9% the same as running Docker.
I have been running my homelab with Podman for several years and it is absolutely mature enough for a regular user.
Also, the docs are really good.
You technically can bind ports <1024 to unprivileged containers. echo 'net.ipv4.ip_unprivileged_port_start=0' | sudo tee /etc/sysctl.d/50-unprivileged-ports.conf; sudo sysctl --system. Though this will allow any user to bind ports below 1024, so it’s not very clean.
Another workaround is to redirect port 80 to 8080 (or other) through iptables and have your proxy listen on this port. sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080. Same thing for 443.
As far as I know granting the CAP_NET_BIND_SERVICE capability to /usr/bin/podman does not work.
Also podman-compose implementation is still incomplete, and I prefer using systemd units to start and manage containers. Check man podman-generate-systemd
For what it’s worth, I just wrote up a compose.yaml file as I’d write it for Docker Compose and it just worked. See the bottom of my comment on this GitHub issue for an example. I think the team’s intention is for it to transparently support whatever you’d write for a standard Compose file but of course we don’t have things like the brand new Docker watch. They do point to the Compose spec in the Podman Compose README. Bind mounts are good enough for me, thus far.
I only tried running rootless when i set them up several years ago and i was completely green, so it was probably me who was the problem.
Regarding podman-compose, Fedora repos has a a package that aliases podman -> docker and the regular docker-compose package, which i used before migrating to podman+systemd. It worked flawlessly unless i did networking shenanigans because Podman and Docker differs (/differed?) in so some thing simply couldn’t be brought over.
Edit: i found the docker-compose and Podman alias thingies in a Fedora Magazine post.
However, unless you use docker-compose a lot for other stuff, learning to use Podmans systemd integration (also called quadlet) is very much worth it. They’re just a really powerful combo and systemd has a ton of nice features for making stuff run and keep running.
Docker ever felt mature to you?
I mean, it was good enough for podman to copy its API and interface verbatim…
I’ve been using podman instead of Docker for a couple years now. I’m not a heavy user, but it doesn’t ever break for me and I appreciate the pods and ease of turning pod config into a kubernetes deployment.
