81
Is it time to switch to podman?
(lemmy.ml)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 26 Oct 2023
81 points (94.5% liked)
Selfhosted
39212 readers
594 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
Podman is CLI and API compatible with Docker (except where differences in implementation doesn't allow it)
Running Podman as root is 99.9% the same as running Docker.
I have been running my homelab with Podman for several years and it is absolutely mature enough for a regular user.
Also, the docs are really good.
I've been running rootless Podman (with the exception of my reverse proxy, because privileged ports) without any issues, though my one challenge has actually been documentation - specifically for podman-compose, which seems to be a complete void.
You technically can bind ports <1024 to unprivileged containers.
echo 'net.ipv4.ip_unprivileged_port_start=0' | sudo tee /etc/sysctl.d/50-unprivileged-ports.conf; sudo sysctl --system. Though this will allow any user to bind ports below 1024, so it's not very clean.Another workaround is to redirect port 80 to 8080 (or other) through iptables and have your proxy listen on this port.
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080. Same thing for 443.As far as I know granting the
CAP_NET_BIND_SERVICEcapability to/usr/bin/podmandoes not work.Also podman-compose implementation is still incomplete, and I prefer using systemd units to start and manage containers. Check
man podman-generate-systemdYou shouldn't need root to bind to privileged ports. I use k8s but I assume you can set sys capabilities for containers in a similar way I do for pods.
For what it's worth, I just wrote up a
compose.yamlfile as I'd write it for Docker Compose and it just worked. See the bottom of my comment on this GitHub issue for an example. I think the team's intention is for it to transparently support whatever you'd write for a standard Compose file but of course we don't have things like the brand new Dockerwatch. They do point to the Compose spec in the Podman Compose README. Bind mounts are good enough for me, thus far.I only tried running rootless when i set them up several years ago and i was completely green, so it was probably me who was the problem.
Regarding podman-compose, Fedora repos has a a package that aliases podman -> docker and the regular docker-compose package, which i used before migrating to podman+systemd. It worked flawlessly unless i did networking shenanigans because Podman and Docker differs (/differed?) in so some thing simply couldn't be brought over.
Edit: i found the docker-compose and Podman alias thingies in a Fedora Magazine post.
However, unless you use docker-compose a lot for other stuff, learning to use Podmans systemd integration (also called quadlet) is very much worth it. They're just a really powerful combo and systemd has a ton of nice features for making stuff run and keep running.