I use nftables to set my firewall rules. I typically manually configure the rules myself. Recently, I just happened to dump the ruleset, and, much to my surprise, my config was gone, and it was replaced with an enourmous amount of extremely cryptic firewall rules. After a quick examination of the rules, I found that it was Docker that had modified them. And after some brief research, I found a number of open issues, just like this one, of people complaining about this behaviour. I think it’s an enourmous security risk to have Docker silently do this by default.

I have heard that Podman doesn’t suffer from this issue, as it is daemonless. If that is true, I will certainly be switching from Docker to Podman.

  • Molecular0079@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    8 months ago

    If you use firewalld, both docker and podman apply rules in a special zone separate from your main one.

    That being said, podman is great. Podman in rootful mode, along with podman-docker and docker-compose, is basically a drop-in replacement for Docker.

    • Dandroid@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      I’m a podman user, but what’s the point of using podman if you are going to use a daemon and run it as root? I like podman so I can specifically avoid those things.

      • Molecular0079@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        I am using it as a migration tool tbh. I am trying to get to rootless, but some of the stuff I host just don’t work well in rootless yet, so I use rootful for those containers. Meanwhile, I am using rootless for dev purposes or when testing out new services that I am unsure about.

        Podman also has good integration into Cockpit, which is nice for monitoring purposes.

    • Link@rentadrunk.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      Is it? Last time I tried none of my docker compose files would start correctly in podman compose.

      • Molecular0079@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        podman-compose is different from docker-compose. It runs your containers in rootless mode. This may break certain containers if configured incorrectly. This is why I suggested podman-docker, which allows podman to emulate docker, and the native docker-compose tool. Then you use sudo docker-compose to run your compose files in rootful mode.

        • warmaster@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 months ago

          How is Podman rootful better than Docker? I was mostly attracted by the rootless path, but the breakage deterred me. Would you be so kind to tell me ?

          • Molecular0079@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            8 months ago

            It isn’t that much better. I use it as drop-in docker replacement. It’s better integrated with things like cockpit though and the idea is that it’s easier to eventually migrate to rootless if you’re already in the podman ecosystem.

            • warmaster@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              8 months ago

              Ok that sounds intetesting, I’ve found Cockpit easier to use than Proxmox, I’m new to virtualization and I don’t want do nesting… I fear it will complicate things when I’ll need to do GPU passthrough.

              How is Podman integrated into Cockpit?

              Also, I had so much trouble trying to bridge my Home Assistant VM to my LAN. Are there any tutorials on how to do this from Cockpit?