it's not always sunny with podman

starryoccultist, 4 months ago

minor issue: it’s podman-compose instead of podman compose. The hyphen feels like a step back because we moved from docker-compose to docker compose. But thT’s not a real issue.

podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.

I’m also currently migrating all of my self-hosted services from docker to podman. Look into using Quadlet and systemd rather than podman-compose: www.redhat.com/sysadmin/quadlet-podman

Your Quadlet .container files will end up looking very similar to your docker compose files. Podman will automatically generate a systemd service unit for you if you drop the .container file in your user systemd unit directory ($HOME/.config/containers/systemd/) and run systemctl --user daemon-reload. Then starting the container on boot is as simple as systemctl --user enable --now containername.service.

This will not solve your rootful vs. rootless issues, as others have pointed out, but Quadlet/systemd is nice replacement for the service/container management layer instead of docker-compose/podman-compose

tau, 4 months ago

+1 for quadlet. It’s another file format to learn, but it’s worth it, particularly if you want your containers to auto-update. Also check out podlet to help mitigate some of the compose to .container issues.

llii, 4 months ago

podman does not autostart containers after boot.

Does docker do this? I wrote a systemd unit for my docker container because I thought that there is no way for docker to autostart containers?

Molecular0079, 4 months ago

It does. You probably did not enable docker.service to start on boot.

llii, 4 months ago

Ok, i need to check this later. Thanks!

ikidd, 4 months ago

Not sure about straight docker run commands, but if you’re using docker compose you can add restart: unless-stopped or always to your docker-compose.yml to have it come up on boot.

mvirts, 4 months ago

You must have been expecting philadelphia

GunnarGrop, 4 months ago

Writing systemd services for your containers is something yoully have to get used to with podman, pretty much. It’s actually very easy with the built in command “podman generate systemd”, so you can just do something like " podman generate systemd --name my-container > /etc/systemd/system". I much prefer managing my containers with systemd over the docker daemon. It’s nice!

Also, podman can use privileged ports as root, right?

rsolva, 4 months ago

Podman is great, but a lot of confusion arise from the rapid development the last ~year and the fact that different distros have relatively old versions in their repos.

I recommend using the latest Fedora Server and defining your containers as quadlets. Also, on Fedora, yoi can install Cockpit (and cockpit-podman) and get a decent webgui to manage your host and container.

I should just write a blog post about this instead of typing this up on my phone in bed 😆

sunbeam60, 4 months ago

Yes please!!!

lemmyingly, 4 months ago

Why do you believe podman is more secure than root-less Docker? Please educate me.

I run root-ful and root-less Docker daemons at the same time on the same machine because there are limitations to what you can do without as root privileges. So where possible, containers run in root-less Docker and the lucky few that require root privileges run in root-ful Docker.

GravitySpoiled, 4 months ago

I can’t

nickwitha_k, 4 months ago

For the low-port issue, maybe try something like how K8S tends to handle it:

• One container that is either rootful or allowed to use low ports. Run a reverse proxy like HAProxy or Envoy in this.
• All other containers for services, run on high ports, pointing to them in the reverse proxy container’s config.
• Don’t use bare http, unless required. Getting valid TLS certs is dead easy and free with LetsEncrypt.