I am moving from docker to podman and selinux because I thought that podman is more secure and hence, the future. I thought the transition will be somewhat seamless. I even prepaired containers but once I migrated I still ran into issues.
minor issue: it’s podman-compose instead of podman compose. The hyphen feels like a step back because we moved from docker-compose to docker compose. But thT’s not a real issue.
podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.
Spinning up fresh services works most of the time but using old services that worked great with docker are a pain. I am wasting minutes after minutes because I struggle with permissions and other weird issues.
podman can’t use lower number ports such that you have to map the ports outside of the machine and forward them properly.
Documentation and tutorials are “all” for docker. Github issues are “all” for docker. There isn’t a lot of information floating around.
I’m still not done and I really wonder why I should move forward and not go back to docker. Painful experience so far.
podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.
FWIW, I’m on Bluefin-dx (one of uBlue[1]'s images) and I’ve noticed that my containers autostart at boot since I’ve rebased from Silverblue to Bluefin-dx. Mind you; I’m not necessarily advocating for you to make the switch to Bluefin-dx, but it’s at least worth finding out how they’ve been able to achieve that and perhaps implement their ways for your own benefit.
- Which are mostly Fedora Atomic images with some QoL and thus SELinux, Podman (etc.) are just baked in as you would expect.
I am on Silverblue, run on boot is easy if you run containers via systemd, if service is enabled it auto-starts on boot, if disabled, than you start it manually.
run on boot is easy if you run containers via systemd, if service is enabled it auto-starts on boot
TIL, thank you for that insight!
if disabled, than you start it manually.
That’s the peculiar part; some of the containers I’ve had since I was on Silverblue, but back then they never autostarted on boot. Just (relatively) recently, since the rebase to Bluefin-dx, have I experienced that all of the containers -so even the ones that existed prior- autostart on boot.
Could be podman-restart maybe…
systemctl --user enable podman-restart.service
Or linger to force containers run even if you switch to other user or lock out
loginctl enable-linger
We use quadlets to manage those containers: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
As others in the thread have pointed out just having systemd manage them is the way to go, it’s a nice combo!
Thank you Jorge for chiming in!
For the port thing, you can set the
net.ipv4.ip_unprivileged_port_start
sysctl to a lower value like 80 (may need to go lower if you also do email). It also applies to IPv6.The default of 1024 is for security, but the actual security granted by it is not really that relevant nowadays. It stems from a time where ports < 1024 were used by machines to trust other machines using stuff like rsh & telnet, and before we considered man-in-the-middle attacks to be practical and relevant. Around the start of this millennium, we learned better. Nowadays we use SSH and everything is encrypted & authenticated.
The only particularly relevant risk is that if you lower it enough to also include SSH’s default port 22, some rogue process at startup might make a fake SSH server. That would come along with the scary version of the “host key changed” banner so the risk is not that high. Not very relevant if you’re following proper SSH security practices.
Podman isn’t a replacement for docker. Its very similar syntax wise but its not a replacement.
The only thing I use podman for is Jellyfin and distrobox
Have you tried it with podman-docker? I’ve basically switched my entire self-hosting stack onto podman without much issue using that compatibility layer.
For the low-port issue, maybe try something like how K8S tends to handle it:
- One container that is either rootful or allowed to use low ports. Run a reverse proxy like HAProxy or Envoy in this.
- All other containers for services, run on high ports, pointing to them in the reverse proxy container’s config.
- Don’t use bare http, unless required. Getting valid TLS certs is dead easy and free with LetsEncrypt.
Why do you believe podman is more secure than root-less Docker? Please educate me.
I run root-ful and root-less Docker daemons at the same time on the same machine because there are limitations to what you can do without as root privileges. So where possible, containers run in root-less Docker and the lucky few that require root privileges run in root-ful Docker.
I can’t
Podman is great, but a lot of confusion arise from the rapid development the last ~year and the fact that different distros have relatively old versions in their repos.
I recommend using the latest Fedora Server and defining your containers as quadlets. Also, on Fedora, yoi can install Cockpit (and cockpit-podman) and get a decent webgui to manage your host and container.
I should just write a blog post about this instead of typing this up on my phone in bed 😆
Yes please!!!
podman does not autostart containers after boot.
Does docker do this? I wrote a systemd unit for my docker container because I thought that there is no way for docker to autostart containers?
Not sure about straight docker run commands, but if you’re using docker compose you can add
restart: unless-stopped
oralways
to your docker-compose.yml to have it come up on boot.It does. You probably did not enable
docker.service
to start on boot.
You must have been expecting philadelphia
minor issue: it’s podman-compose instead of podman compose. The hyphen feels like a step back because we moved from docker-compose to docker compose. But thT’s not a real issue.
podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.
I’m also currently migrating all of my self-hosted services from docker to podman. Look into using Quadlet and systemd rather than podman-compose: https://www.redhat.com/sysadmin/quadlet-podman
Your Quadlet
.container
files will end up looking very similar to your docker compose files. Podman will automatically generate a systemd service unit for you if you drop the.container
file in your user systemd unit directory ($HOME/.config/containers/systemd/) and runsystemctl --user daemon-reload
. Then starting the container on boot is as simple assystemctl --user enable --now containername.service
.This will not solve your rootful vs. rootless issues, as others have pointed out, but Quadlet/systemd is nice replacement for the service/container management layer instead of docker-compose/podman-compose
+1 for quadlet. It’s another file format to learn, but it’s worth it, particularly if you want your containers to auto-update. Also check out podlet to help mitigate some of the compose to .container issues.
I know this isn’t the answer you want, but consider switching away from
compose
entirely
A local kubernetes instance handles all the routing for me, and since i was using that anyway podman was legitimately a drop in replacement for docker.Podman is just the tool that creates the container for me, running it gets handled by something else entirely.
Also, i can run
podman compose up
just fine, no hyphen needed. https://docs.podman.io/en/latest/markdown/podman-compose.1.htmlWriting systemd services for your containers is something yoully have to get used to with podman, pretty much. It’s actually very easy with the built in command “podman generate systemd”, so you can just do something like " podman generate systemd --name my-container > /etc/systemd/system". I much prefer managing my containers with systemd over the docker daemon. It’s nice!
Also, podman can use privileged ports as root, right?
You can make actual
docker compose
use podman by running a user podman docker socket and setting that as an environment variable (export DOCKER_HOST=unix:///run/user/$UID/podman/podman.sock)https://brandonrozek.com/blog/rootless-docker-compose-podman/
Podman is not hard. Read about :z for volumes/binds and maybe use podlet (https://github.com/podium-lib/podlet) for easier systemd services generation.
I think you meant to post https://github.com/k9withabone/podlet
Sure. Idk how that happened, copy url without looking at search results lol.
Podman compose isn’t really usable for me
Regarding the low port number thing, that’s just a consequence of not running as root. By default, regular users can’t listen on ports below 1000.
1024
You are correct. I’m as bad as hard drive manufacturers.
Well hard drive manufacturers are actually correct. A gigabyte (GB) is in base 10 and thus 1000 megabytes, not 1024. Gibibytes (GiB) are base 2 (hence “bi”) and thus 1024 mebibytes.
I know it’s technically correct but it still hurts a little inside to admit it each time.
I know the reason is because giga is an SI prefix but all the way through my education, 1 GB was taught to be 1024 MB, so I always want to use this instead of what is correct.
To be fair, the tech industry has been naughty with things like this. I know of two. I wonder how many others there are?
I believe that:
-
The style of characters a user can choose is called a typeface. I think every piece of software calls it a font. I remember hearing it came from Apple/Steve Jobs.
-
I believe the use of setup is incorrect. Setup is a noun, so it refers to an existing configuration. It tends to be used when running an OS or program for the first time though, which I believe set up is the correct term. Set up is an adjective and refers to the act of creating the configuration.
I’ve wondered if these were done due to screen space constraints or aesthetics.
-