Before I dabbled a bit with Docker. I wanted to dabble a bit with Podman because it seemed quite interesting.
I reinstalled Pi OS Lite on my Pi 3B+ and installed Podman. Then I figured out what to run and started digging through the documentation.
Apparently Docker containers work quite similar and even Docker compose can be used.
Then I came across the auto update function and stumbled upon quadlets to use auto update and got confused. Then I tried reading up on Podman rootless and rootful and networking stuff and really got lost.
I want to run the following services:
Heimdall
Adguard Home
Jellyfin
Vaultwarden
Nextcloud
I am not sure a Pi is even powerful enough to run these things but I am even more unsure about how to set things up.
Do I use quadlets? Do I run containers? How do I do the networking so I can reach the containers (maybe even outside my home)?
Can someone point me in the right direction? I can’t seem to find the needed information.
My major beef is we used to be able to run a Podman generate command to make a user systemd file and auto start and stop containers with that. Even entire clusters of pods with one easy command and then just use the system level start and stop. They removed it in favor of “quadlet”which works fine for single containers, but for a compose, they literally just use Kubernetes syntax and the official documentation says just use Kubernetes. Well, what the fuck is Podman for then?
The biggest problem everyone ever has with Podman is it’s frustratingly obedient to SELinux. Docker just kind of makes its own permissions and opens its own ports and steamrolls past whatever security you have. Podman will refuse to read or write a directory for stupid reasons until you’ve gone round and round with SELinux, and then just when you have it working, when the container updates it locks the directory all over again(in my case, updating a Minecraft server to latest version would crash the server and lock the data directory). Red Hat continues to insist SELinux is cool and this is working as intended. Again, Docker just doesn’t give a shit and barges into the directory without a problem.
It’s a legit argument that Docker has a stable architecture while podman is still evolving, but that’s how software do. I haven’t seen anything that isn’t backward compatible, or very strongly deprecated with notice.
Complaining about selinux in 2024? Setenforce 0, audit2allow, and get on with it.
Docker doing that while selinux is enforcing is an actual bad thing that you don’t want.
Well that can be understandable, but AFAIK podman generate still works, so if you can’t do something with Quadlet, then you can stays with generate until then. For example, I’m using Quadlet and now podman generate too since my Rocky 9 podman can’t be upgraded to podman 5 which means no pod support for you.
Now look here chap, Quadlet admittedly works fine. I personally just k3s anyway but .pod files work too.
Isn’t being obedient to SELinux a good thing? You could set it to permissive if you want, but MAC systems are essential for security and I personally wouldn’t go without them
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
My major beef is we used to be able to run a Podman generate command to make a user systemd file and auto start and stop containers with that. Even entire clusters of pods with one easy command and then just use the system level start and stop. They removed it in favor of “quadlet”which works fine for single containers, but for a compose, they literally just use Kubernetes syntax and the official documentation says just use Kubernetes. Well, what the fuck is Podman for then?
The biggest problem everyone ever has with Podman is it’s frustratingly obedient to SELinux. Docker just kind of makes its own permissions and opens its own ports and steamrolls past whatever security you have. Podman will refuse to read or write a directory for stupid reasons until you’ve gone round and round with SELinux, and then just when you have it working, when the container updates it locks the directory all over again(in my case, updating a Minecraft server to latest version would crash the server and lock the data directory). Red Hat continues to insist SELinux is cool and this is working as intended. Again, Docker just doesn’t give a shit and barges into the directory without a problem.
SElinux is needed for a secure system. It takes time to properly set up but it adheres to least privilege nicely
There are .pod files for Quadlet now, which do what you want. No Kubernetes involved.
My impression is really the opposite. Podman is constantly being improved and nice features get added all the time.
If you don’t like SELinux, just disable it. Nothing to do with Podman.
Every complaint here is PEBKAC.
It’s a legit argument that Docker has a stable architecture while podman is still evolving, but that’s how software do. I haven’t seen anything that isn’t backward compatible, or very strongly deprecated with notice.
Complaining about selinux in 2024? Setenforce 0, audit2allow, and get on with it.
Docker doing that while selinux is enforcing is an actual bad thing that you don’t want.
Well that can be understandable, but AFAIK podman generate still works, so if you can’t do something with Quadlet, then you can stays with generate until then. For example, I’m using Quadlet and now podman generate too since my Rocky 9 podman can’t be upgraded to podman 5 which means no pod support for you.
Now look here chap, Quadlet admittedly works fine. I personally just k3s anyway but .pod files work too.
Isn’t being obedient to SELinux a good thing? You could set it to permissive if you want, but MAC systems are essential for security and I personally wouldn’t go without them