I am moving from docker to podman and selinux because I thought that podman is more secure and hence, the future. I thought the transition will be somewhat seamless. I even prepaired containers but once I migrated I still ran into issues.

minor issue: it’s podman-compose instead of podman compose. The hyphen feels like a step back because we moved from docker-compose to docker compose. But thT’s not a real issue.

podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.

Spinning up fresh services works most of the time but using old services that worked great with docker are a pain. I am wasting minutes after minutes because I struggle with permissions and other weird issues.

podman can’t use lower number ports such that you have to map the ports outside of the machine and forward them properly.

Documentation and tutorials are “all” for docker. Github issues are “all” for docker. There isn’t a lot of information floating around.

I’m still not done and I really wonder why I should move forward and not go back to docker. Painful experience so far. https://linuxhandbook.com/docker-vs-podman/ and following pages helped me a lot to get rid of my frustration with podman.

  • GunnarGrop@lemmy.ml
    link
    fedilink
    arrow-up
    13
    ·
    9 months ago

    Writing systemd services for your containers is something yoully have to get used to with podman, pretty much. It’s actually very easy with the built in command “podman generate systemd”, so you can just do something like " podman generate systemd --name my-container > /etc/systemd/system". I much prefer managing my containers with systemd over the docker daemon. It’s nice!

    Also, podman can use privileged ports as root, right?

  • hperrin@lemmy.world
    link
    fedilink
    arrow-up
    10
    ·
    9 months ago

    Regarding the low port number thing, that’s just a consequence of not running as root. By default, regular users can’t listen on ports below 1000.

  • starryoccultist@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    8
    ·
    9 months ago

    minor issue: it’s podman-compose instead of podman compose. The hyphen feels like a step back because we moved from docker-compose to docker compose. But thT’s not a real issue.

    podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.

    I’m also currently migrating all of my self-hosted services from docker to podman. Look into using Quadlet and systemd rather than podman-compose: https://www.redhat.com/sysadmin/quadlet-podman

    Your Quadlet .container files will end up looking very similar to your docker compose files. Podman will automatically generate a systemd service unit for you if you drop the .container file in your user systemd unit directory ($HOME/.config/containers/systemd/) and run systemctl --user daemon-reload. Then starting the container on boot is as simple as systemctl --user enable --now containername.service.

    This will not solve your rootful vs. rootless issues, as others have pointed out, but Quadlet/systemd is nice replacement for the service/container management layer instead of docker-compose/podman-compose

    • tau@lemmings.world
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      +1 for quadlet. It’s another file format to learn, but it’s worth it, particularly if you want your containers to auto-update. Also check out podlet to help mitigate some of the compose to .container issues.

  • chameleon@kbin.social
    link
    fedilink
    arrow-up
    6
    ·
    9 months ago

    For the port thing, you can set the net.ipv4.ip_unprivileged_port_start sysctl to a lower value like 80 (may need to go lower if you also do email). It also applies to IPv6.

    The default of 1024 is for security, but the actual security granted by it is not really that relevant nowadays. It stems from a time where ports < 1024 were used by machines to trust other machines using stuff like rsh & telnet, and before we considered man-in-the-middle attacks to be practical and relevant. Around the start of this millennium, we learned better. Nowadays we use SSH and everything is encrypted & authenticated.

    The only particularly relevant risk is that if you lower it enough to also include SSH’s default port 22, some rogue process at startup might make a fake SSH server. That would come along with the scary version of the “host key changed” banner so the risk is not that high. Not very relevant if you’re following proper SSH security practices.

  • johanbcn@iusearchlinux.fyi
    link
    fedilink
    English
    arrow-up
    5
    ·
    9 months ago

    podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.

    I have not yet tried podman, but I know that podman-compose used to have an option to generate systemd units for your pods: https://docs.podman.io/en/latest/markdown/podman-generate-systemd.1.html

    Still, that option has been deprecated in favour of Podman Quadlet https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html

  • Helix 🧬@feddit.de
    link
    fedilink
    English
    arrow-up
    5
    ·
    9 months ago

    it’s podman-compose instead of podman compose

    Don’t use it, it’s not a full replacement. The script is barely maintained and not really “official”.

    I think before switching from Docker to Podman you should first get proficient in Docker, because Podman is not for beginners (yet).

  • nickwitha_k (he/him)@lemmy.sdf.org
    link
    fedilink
    arrow-up
    3
    ·
    9 months ago

    For the low-port issue, maybe try something like how K8S tends to handle it:

    • One container that is either rootful or allowed to use low ports. Run a reverse proxy like HAProxy or Envoy in this.
    • All other containers for services, run on high ports, pointing to them in the reverse proxy container’s config.
    • Don’t use bare http, unless required. Getting valid TLS certs is dead easy and free with LetsEncrypt.
  • rsolva@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    9 months ago

    Podman is great, but a lot of confusion arise from the rapid development the last ~year and the fact that different distros have relatively old versions in their repos.

    I recommend using the latest Fedora Server and defining your containers as quadlets. Also, on Fedora, yoi can install Cockpit (and cockpit-podman) and get a decent webgui to manage your host and container.

    I should just write a blog post about this instead of typing this up on my phone in bed 😆

  • Molecular0079@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    9 months ago

    Your issues stem from going rootless. Podman Compose creates rootless containers and that may or may not be what you want. A lot more configuration needs to be done to get rootless containers working well for persistent services that use low ports, like enabling linger for specific users or enabling low ports for non-root users.

    If you want the traditional Docker experience (which is rootful) and figure out the migration towards rootless later, I’d recommend the following:

    1. Install podman-docker. This provides a seamless Docker compatibility layer for podman, allowing you to even use regular docker commands that get translated behind the scenes into Podman.
    2. Install regular docker-compose. This will work via podman-docker and gives you the native docker compose experience.
    3. Enable podman.socket and podman-restart.service. First one socket-activates the central Podman daemon, second one restarts any podman containers with a restart-policy of always on boot.
    4. Run your docker-compose commands using sudo, so sudo docker-compose up -d etc. You can run this with sudo podman compose as well if you’re allergic to hyphenation. Podman allows both rootful and rootless containers and the way you choose is by running the commands with sudo or not.

    This gets you to a very Docker-like experience and is what I am currently using to host my services. I do plan on getting familiar with rootless and systemd services and Kubernetes files, but I honestly haven’t had the time to figure all that out yet.

  • MajinBlayze [any, he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    9 months ago

    Yeah, podman’s networking approach sent me back to docker as well. I have a bunch of services that don’t even expose their ports to the local network, they just connect to each other, and only the reverse proxy is exposed. Switching to podman would require me to reconfigure all my port mappings to make sure there aren’t any conflicts, and then update all the references. It’s not a ton of work, but enough to keep me on docker for the time being.

    edit: It looks like podman’s networking stack has changed since I used it, so this is almost certainly wrong now

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 months ago

    Podman isn’t a replacement for docker. Its very similar syntax wise but its not a replacement.

    The only thing I use podman for is Jellyfin and distrobox

  • RandoCalrandian@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    I know this isn’t the answer you want, but consider switching away from compose entirely
    A local kubernetes instance handles all the routing for me, and since i was using that anyway podman was legitimately a drop in replacement for docker.

    Podman is just the tool that creates the container for me, running it gets handled by something else entirely.

    Also, i can run podman compose up just fine, no hyphen needed. https://docs.podman.io/en/latest/markdown/podman-compose.1.html

    • GravitySpoiled@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      thx! maybe I’ll switch to it in a year or so. For now, I am good in learning new containerization technology

  • llii@feddit.de
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 months ago

    podman does not autostart containers after boot.

    Does docker do this? I wrote a systemd unit for my docker container because I thought that there is no way for docker to autostart containers?