I am moving from docker to podman and selinux because I thought that podman is more secure and hence, the future. I thought the transition will be somewhat seamless. I even prepaired containers but once I migrated I still ran into issues.

minor issue: it’s podman-compose instead of podman compose. The hyphen feels like a step back because we moved from docker-compose to docker compose. But thT’s not a real issue.

podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.

Spinning up fresh services works most of the time but using old services that worked great with docker are a pain. I am wasting minutes after minutes because I struggle with permissions and other weird issues.

podman can’t use lower number ports such that you have to map the ports outside of the machine and forward them properly.

Documentation and tutorials are “all” for docker. Github issues are “all” for docker. There isn’t a lot of information floating around.

I’m still not done and I really wonder why I should move forward and not go back to docker. Painful experience so far. https://linuxhandbook.com/docker-vs-podman/ and following pages helped me a lot to get rid of my frustration with podman.

  • chameleon
    link
    fedilink
    79 months ago

    For the port thing, you can set the net.ipv4.ip_unprivileged_port_start sysctl to a lower value like 80 (may need to go lower if you also do email). It also applies to IPv6.

    The default of 1024 is for security, but the actual security granted by it is not really that relevant nowadays. It stems from a time where ports < 1024 were used by machines to trust other machines using stuff like rsh & telnet, and before we considered man-in-the-middle attacks to be practical and relevant. Around the start of this millennium, we learned better. Nowadays we use SSH and everything is encrypted & authenticated.

    The only particularly relevant risk is that if you lower it enough to also include SSH’s default port 22, some rogue process at startup might make a fake SSH server. That would come along with the scary version of the “host key changed” banner so the risk is not that high. Not very relevant if you’re following proper SSH security practices.