[HN Gopher] Podman in Linux
___________________________________________________________________
Podman in Linux
Author : diegopacheco
Score : 53 points
Date : 2021-09-28 20:42 UTC (2 hours ago)
(HTM) web link (diego-pacheco.blogspot.com)
(TXT) w3m dump (diego-pacheco.blogspot.com)
| Iolaum wrote:
| podman user here, because of the ability to run in rootless mode.
|
| Using it on RPi4 with Fedora IoT running linuxserver io
| containers.
|
| Appreciate the systemd integration as well making the containers
| services that gracefully go down and come up when the pi gets
| rebooted without me needing to do anything.
| kbenson wrote:
| I was enamored with this feature too, but a comment here on
| HN[1] made me reconsider its use. Apparently rootless requires
| namespaces, which provides a different security context than
| most apps are expected to run in, and might be less thoroughly
| tested than you would think.
|
| I still like the systemd integration and that it doesn't
| require a daemon too, and I still favor it over Docker.
|
| 1: https://news.ycombinator.com/item?id=28393949
| some0x80070005 wrote:
| It's great that podman serves a good role for you, and I'm not
| going to argue that. My points:
|
| 1. Docker containers absolutely can be run without root. Yes,
| it's not the default policy, but containers can have a user ID.
| If you are referencing the daemon-less root-less nature of
| podman, that's a clear advantage of podman vs Docker. 2. Docker
| containers also have a restart policy which I use to also have
| them startup on machine reboot. By graceful, you must mean
| sending SIGTERM to the containers which Docker does as well.
|
| Perhaps podman does these things better, but I want to point
| out that Docker does have many features for better or for
| worse.
| kblev wrote:
| Thanks
| PhilippGille wrote:
| > root-less nature of podman
|
| I see this repeated a lot, but it's not the default, its has
| to be explicitly configured: https://github.com/containers/po
| dman/blob/v3.3.1/docs/tutori...
|
| And in addition to the known upsides, there are some lesser
| known downsides:
|
| 1. There are feature limitations with it:
| https://github.com/containers/podman/blob/v3.3.1/rootless.md
|
| 2. There are security implications, quoting Arch Wiki:
|
| > Warning: Rootless Podman relies on the unprivileged user
| namespace usage (CONFIG_USER_NS_UNPRIVILEGED) which has some
| serious security implications, see Security#Sandboxing
| applications for details.
|
| Also worth noting that Docker itself has a rootless mode as
| well by now:
| https://docs.docker.com/engine/security/rootless/
|
| I'm happy that there are Docker alternatives, but I have the
| feeling that podman has been hyped a lot recently and many
| articles and comments give the impression that it's more
| secure by default and without any downsides.
| paxys wrote:
| While I understand the phrasing, it's still funny to read "open-
| source Docker replacement".
| m463 wrote:
| When I first used docker on macos a while back, I was surprised
| with all the telemetry/phoning home it did. It started doing it
| at the beginning of the installer, before docker was even
| installed.
| rmetzler wrote:
| Somehow a lot of these blog posts seem to get the fine technical
| details of the marketing speak wrong.
|
| > Docker recently changed the license
|
| From my understanding this is related to Docker _Desktop_ not
| Docker. I 'm pretty sure Podman can't replace Docker Desktop.
| This is also what the linked website says.
|
| Or did I miss something?
|
| And in the linked Blog post it says
|
| > Docker was dropped from Kubernetes.
|
| which from my understanding is also incorrect, because it's the
| docker-shim which is deprecated (not dropped) and Docker inc
| could probably make Docker Engine CRI compliant.
| dmart wrote:
| It seems to me that almost no one understands the difference
| between the various layers of "Docker" (that is to say:
| Desktop, CLI, daemon, containerd, runc) and which layers tools
| like Podman aim to replace.
| gizdan wrote:
| From what I've seen in all these Podman articles, I've come
| to the same conclusion as you.
|
| This is how Podman fits in:
|
| Podman (and its various components) can replace everything
| but parts of Docker Desktop, namely the GUI that Docker
| Desktop, has. For everything else, it has it's own Docker
| compatible CLI, an _optional_ daemon (by default it 's
| daemonless), there is no containerd component as it
| communicates directly to any OCI compatible runtime. They've
| also implemented their own OCI compatible runtime, crun,
| which is supposed to be faster than runc, and more
| lightweight.
|
| I suppose for the average Joe/Jane this probably doesn't
| matter. They want to run a few commands the first time around
| to set up, and then do "start/stop/remove my container" and
| that's all they want to do.
| amarshall wrote:
| Docker Desktop isn't really about the GUI so much as the
| management of, and host integration with, a Linux VM for
| running on non-Linux OSes. Notably, there's no Docker
| Desktop for Linux, only macOS and Windows.
| jhickok wrote:
| My understanding is that Podman is working on a "GUI" since
| it is one of the most requested items. Taken from the
| interview with the founders of Podman over on the Google
| Kubernetes podcast:
| https://kubernetespodcast.com/episode/164-podman/
|
| ETA: Oh hey here it is: https://github.com/heyvito/podman-
| macos
| denysvitali wrote:
| To be fair, podman has it's own "Docker Desktop" part, podman
| machine. But of course on Linux this doesn't make any sense.
| jonfw wrote:
| Podman can replace docker desktop. It doesn't have the same GUI
| but it does have the capability to run containers via familiar
| CLI commands on a variety of OSes, connecting to (and in some
| cases provisioning through podman machine) a VM when required
|
| I also think that it's more than safe to say that K8s is
| dropping Docker when they've deprecated it as a container
| runtime
| benatkin wrote:
| You can also run regular docker with vagrant instead of
| Docker Desktop. This seems to be the way you can replace
| Docker Desktop with Podman:
| https://www.redhat.com/sysadmin/replace-docker-podman-macos
|
| There was Kitematic for Docker, I think it was independent,
| but it's owned by Docker now and they shut it down.
| https://github.com/docker/kitematic
| nickstinemates wrote:
| It evolved to become Docker Desktop
| benatkin wrote:
| No it didn't, Docker Desktop was already released before
| Docker bought Kitematic. I have receipts:
| https://www.zdnet.com/article/docker-reels-in-kitematic-
| as-i... (2015)
| https://en.m.wikipedia.org/wiki/Docker_(software)
| (Initial release: 2012)
|
| If you mean Docker Desktop added some features from
| Kitematic, that's a misleading way of saying it.
| zapita wrote:
| > _I also think that it 's more than safe to say that K8s is
| dropping Docker when they've deprecated it as a container
| runtime_
|
| This is wrong. Docker itself is no longer a container
| runtime: it has spun out that capability into containerd.
| Kubernetes can now call Docker's container runtime (again:
| containerd) directly instead of going through a redundant
| docker-shim.
|
| In other words: Kubernetes has dropped Docker's old container
| runtime in favor of... Docker's new container runtime.
| boardwaalk wrote:
| It depends on what you mean by "replace" Docker Desktop, but
| Podman can run a VM on macOS and has replaced Docker Desktop
| for me. There's no fancy (useless) UI nor Windows support yet
| though.
| gavinray wrote:
| I thought there was Windows support for Podman the same way
| that Docker Desktop provides Windows support -- primarily
| through WSL2?
| jonfw wrote:
| Windows works via a "Bring your own VM" approach, but since
| WSL exists I'd expect most Windows users would just run it
| there
| flatiron wrote:
| When you install Docker desktop and already have wsl2
| installed you get a pop up saying "you just want us to use
| wsl2?" And away you go. At least that's what happened when
| I did it 6 months ago. Works great!
| zapita wrote:
| You are correct on both counts. Most people are not intimately
| familiar with the details of the Docker and Kubernetes stacks.
| Unscrupulous vendors have been taking advantage of this
| confusion to spread FUD and shine a more flattering light on
| their own products.
| ActorNightly wrote:
| Im just wondering if the full loop will ever be complete and
| deployment patterns start shifting to single file compiled
| executables.
| inetknght wrote:
| cp ./app.AppImage /srv/app/app.AppImage for
| deployment_host in $( <deployment_hosts jq '.[].hostname');
| ssh deployment_user@deployment_host:/srv/app/app.AppImage &
| done
|
| okay boss, what's the next problem?
| jrockway wrote:
| app.AppImage used up all the RAM on the machine, and the
| kernel OOMkilled sshd. Now it's time to roll back.
|
| (But I guess it wasn't the fault of that deployment -- you
| just staged the binary, you didn't start it running.)
___________________________________________________________________
(page generated 2021-09-28 23:00 UTC)