I keep reading about podman, yet it doesm’t FEEL as mature to me as docker for a normal user like me. What’s your opinion? Did you already switch or do you keep waiting for … for what? When will you switch?
You shouldn’t need root to bind to privileged ports. I use k8s but I assume you can set sys capabilities for containers in a similar way I do for pods.
You technically can bind ports <1024 to unprivileged containers. echo 'net.ipv4.ip_unprivileged_port_start=0' | sudo tee /etc/sysctl.d/50-unprivileged-ports.conf; sudo sysctl --system. Though this will allow any user to bind ports below 1024, so it’s not very clean.
Another workaround is to redirect port 80 to 8080 (or other) through iptables and have your proxy listen on this port. sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080. Same thing for 443.
As far as I know granting the CAP_NET_BIND_SERVICE capability to /usr/bin/podman does not work.
Also podman-compose implementation is still incomplete, and I prefer using systemd units to start and manage containers. Check man podman-generate-systemd
For what it’s worth, I just wrote up a compose.yaml file as I’d write it for Docker Compose and it just worked. See the bottom of my comment on this GitHub issue for an example. I think the team’s intention is for it to transparently support whatever you’d write for a standard Compose file but of course we don’t have things like the brand new Docker watch. They do point to the Compose spec in the Podman Compose README. Bind mounts are good enough for me, thus far.
I only tried running rootless when i set them up several years ago and i was completely green, so it was probably me who was the problem.
Regarding podman-compose, Fedora repos has a a package that aliases podman -> docker and the regular docker-compose package, which i used before migrating to podman+systemd. It worked flawlessly unless i did networking shenanigans because Podman and Docker differs (/differed?) in so some thing simply couldn’t be brought over.
Edit: i found the docker-compose and Podman alias thingies in a Fedora Magazine post.
However, unless you use docker-compose a lot for other stuff, learning to use Podmans systemd integration (also called quadlet) is very much worth it.
They’re just a really powerful combo and systemd has a ton of nice features for making stuff run and keep running.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
Podman is CLI and API compatible with Docker (except where differences in implementation doesn’t allow it)
Running Podman as root is 99.9% the same as running Docker.
I have been running my homelab with Podman for several years and it is absolutely mature enough for a regular user.
Also, the docs are really good.
deleted by creator
You shouldn’t need root to bind to privileged ports. I use k8s but I assume you can set sys capabilities for containers in a similar way I do for pods.
You technically can bind ports <1024 to unprivileged containers.
echo 'net.ipv4.ip_unprivileged_port_start=0' | sudo tee /etc/sysctl.d/50-unprivileged-ports.conf; sudo sysctl --system. Though this will allow any user to bind ports below 1024, so it’s not very clean.Another workaround is to redirect port 80 to 8080 (or other) through iptables and have your proxy listen on this port.
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080. Same thing for 443.As far as I know granting the
CAP_NET_BIND_SERVICEcapability to/usr/bin/podmandoes not work.Also podman-compose implementation is still incomplete, and I prefer using systemd units to start and manage containers. Check
man podman-generate-systemdFor what it’s worth, I just wrote up a
compose.yamlfile as I’d write it for Docker Compose and it just worked. See the bottom of my comment on this GitHub issue for an example. I think the team’s intention is for it to transparently support whatever you’d write for a standard Compose file but of course we don’t have things like the brand new Dockerwatch. They do point to the Compose spec in the Podman Compose README. Bind mounts are good enough for me, thus far.I only tried running rootless when i set them up several years ago and i was completely green, so it was probably me who was the problem.
Regarding podman-compose, Fedora repos has a a package that aliases podman -> docker and the regular docker-compose package, which i used before migrating to podman+systemd. It worked flawlessly unless i did networking shenanigans because Podman and Docker differs (/differed?) in so some thing simply couldn’t be brought over.
Edit: i found the docker-compose and Podman alias thingies in a Fedora Magazine post.
However, unless you use docker-compose a lot for other stuff, learning to use Podmans systemd integration (also called quadlet) is very much worth it. They’re just a really powerful combo and systemd has a ton of nice features for making stuff run and keep running.