• iluminae@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    A year or two ago (whenever docker changed the business license of docker for Mac) I changed to podman and aliased docker=podman. It behaves the same, you would just about never know rootful podman vs docker.

    Rootless podman is super cool and a much better security ideal - but comparing more apples to apples would be podman running as root vs docker.

  • azdle@news.idlestate.org
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    1 year ago

    If your distro offers it, rootless podman + podman system service is the best setup, IMO. That will give you a docker command that is 1-to-1 compatible with docker and lets you use tools like docker-compose that expect a docker service socket. Then you can just follow tutorials that only explain things for docker.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      7
      ·
      1 year ago

      What is rootless bring brought up so much? It’s a container, it’s isolated from the host anyway, what does it matter what user runs inside? And if something breaks into the container they can trash the app in it and the shared volumes anyway, even if they’re not root.

      • florian@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        It depends on the use case. The most common security issue I have seen with docker is on Linux desktop systems: docker deamon runs as root and user wants to use it to test all kinds of containers. So they make the docker socket accessible to the user, to lazy to use “sudo docker” every time… Having access to the docker socket means having the same permissions as the one running the daemon: root . Your browser effectively now has root permissions. At this point you could just login as root to your desktop.

      • azdle@news.idlestate.org
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        1 year ago

        Defense in depth. If something escapes the container it’s limited to only what’s under that user and not the whole system. Having access to the whole system makes it easier for malware to hide/persist itself.

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          Correct me if I’m wrong but containerization is enforced by the kernel, correct? If something escapes you’re pretty much screwed anyway.

          • Sethayy@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Way too dependent on the setup, a container with absolutely no outside access theoretically just has the kernel, but usually we want to communicate with our docker images not just run them

          • Atemu@lemmy.ml
            link
            fedilink
            English
            arrow-up
            5
            ·
            1 year ago

            There are many layers involved in preventing escapes from containers.

      • MartianSands@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Because a container is only as isolated from the host as you want it to be.

        Suppose you run a container and mount the entire filesystem into it. If that container is running as root, it can then read and write anything it likes (including password databases and /etc/sudo)

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          3
          ·
          1 year ago

          So what? If I mount / in the container and choose to run it as root that’s my business. Why would the containerization engine second-guess what I’m doing?

          How would you like it if sudo told you “I can’t let you be root, you could read and write anything you like, including password databases and /etc/sudo”?

          • IAm_A_Complete_Idiot@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            1 year ago

            The point is to minimize privilege to the least possible - not to make it impossible to create higher privileged containers. If a container doesn’t need to get direct raw hardware access, manage low ports on the host network, etc. then why should I give it root and let it be able to do those things? Mapping it to a user, controlling what resources it has access to, and restricting it’s capabilities means that in the event that my container gets compromised, my entire host isn’t necessarily screwed.

            We’re not saying “sudo shouldn’t be able to run as root” but that “by default things shouldn’t be run with sudo - and you need a compelling reason to swap over when you do”

      • worldofgeese@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        There’s real usability benefits too. I’ve collected some anecdotes from Reddit:

        Rootless podman is my first choice for using containers now, it works fantastically well in my experience. It’s so much nicer to have all my container related stuff like volumes, configs, the control socket, etc. in my home directory and standard user paths vs. scattered all over the system. Permission issues with bind mounts just totally disappear when you go rootless. It’s so much easier and better than the root privileged daemon.

        and,

        If you are on Linux, there is the fantastic podman option “–userns keep-id” which will make sure the uid inside+the container is the same as your current user uid.+

        and,

        Yeah in my experience with rootless you don’t need to worry about UID shenanigans anymore. Containers can do stuff as root (from their perspective at least) all they want but any files you bind mount into the container are still just owned/modified by your user account on the host system (not a root user bleeding through from the container).

        finally,

        The permissions (rwx) don’t change, but the uid/gid is mapped. E.g. uid 0 is the running user outside the container, by uid 1 will be mapped to 100000 (configurable), and say 5000 inside the container is mapped to 105000. I don’t remember the exact mapping but it works roughly like that.

  • Yoddel_Hickory@lemmy.ca
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    Podman, rootless containers work well, and there is no central process running everything. I like that starting containers on boot is integrated with systemd.

          • worldofgeese@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            Check my comment history for an example of a simple bind mount compose.yaml I use for developing a small Python project. It’s exactly the same as Docker Compose (since Podman Compose follows the Compose spec) but if you’re just getting started, it might be a good skeleton to build on.

      • MartianSands@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Podman supports docker compose just fine. You have to run it as a service, so that it can expose a socket like docker does, but it supports doing exactly that

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    2
    ·
    1 year ago

    I’d go Docker for the maturity. Podman is nice but I’ve definitely had some issues, and Buildah lacks any sort of caching and does unnecessary intermediate copies of the layers when pushing to a repository that really slows things down on larger apps/images.

  • lemmyvore@feddit.nl
    link
    fedilink
    English
    arrow-up
    18
    arrow-down
    2
    ·
    1 year ago

    Docker. It’s been around longer, it’s more polished, easier to learn, simpler to use, supported everywhere and by everything, easy to find solutions when you search for help, doesn’t depend on systemd, compatible with every container image out there, and you can do things with it even if it’s not the “correct” way to do it while podman will tell you “no, you can’t do that”.