I use nftables to set my firewall rules. I typically manually configure the rules myself. Recently, I just happened to dump the ruleset, and, much to my surprise, my config was gone, and it was replaced with an enourmous amount of extremely cryptic firewall rules. After a quick examination of the rules, I found that it was Docker that had modified them. And after some brief research, I found a number of open issues, just like this one, of people complaining about this behaviour. I think it’s an enourmous security risk to have Docker silently do this by default.
I have heard that Podman doesn’t suffer from this issue, as it is daemonless. If that is true, I will certainly be switching from Docker to Podman.
If you use firewalld, both docker and podman apply rules in a special zone separate from your main one.
That being said, podman is great. Podman in rootful mode, along with podman-docker and docker-compose, is basically a drop-in replacement for Docker.
I’m a podman user, but what’s the point of using podman if you are going to use a daemon and run it as root? I like podman so I can specifically avoid those things.
I am using it as a migration tool tbh. I am trying to get to rootless, but some of the stuff I host just don’t work well in rootless yet, so I use rootful for those containers. Meanwhile, I am using rootless for dev purposes or when testing out new services that I am unsure about.
Podman also has good integration into Cockpit, which is nice for monitoring purposes.
Is it? Last time I tried none of my docker compose files would start correctly in podman compose.
podman-compose is different from docker-compose. It runs your containers in rootless mode. This may break certain containers if configured incorrectly. This is why I suggested podman-docker, which allows podman to emulate docker, and the native docker-compose tool. Then you use
sudo docker-compose
to run your compose files in rootful mode.How is Podman rootful better than Docker? I was mostly attracted by the rootless path, but the breakage deterred me. Would you be so kind to tell me ?
It isn’t that much better. I use it as drop-in docker replacement. It’s better integrated with things like cockpit though and the idea is that it’s easier to eventually migrate to rootless if you’re already in the podman ecosystem.
Ok that sounds intetesting, I’ve found Cockpit easier to use than Proxmox, I’m new to virtualization and I don’t want do nesting… I fear it will complicate things when I’ll need to do GPU passthrough.
How is Podman integrated into Cockpit?
Also, I had so much trouble trying to bridge my Home Assistant VM to my LAN. Are there any tutorials on how to do this from Cockpit?
deleted by creator