Selfhosted

50424 readers

335 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Docker vs Podman, which one to choose for a beginner and why ? (lemmy.world)

submitted 2 years ago by folak@lemmy.world to c/selfhosted@lemmy.world

48 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] azdle@news.idlestate.org 29 points 2 years ago (3 children)

If your distro offers it, rootless podman + podman system service is the best setup, IMO. That will give you a docker command that is 1-to-1 compatible with docker and lets you use tools like docker-compose that expect a docker service socket. Then you can just follow tutorials that only explain things for docker.

[–] Molecular0079@lemmy.world 1 points 2 years ago

My only issue with rootless is that SWAG doesn't work with it, otherwise my other containers could be rootless. However, I heard connecting rootful and rootless containers is impossible so all my containers are rootful right now.

[–] ssdfsdf3488sd@lemmy.world 1 points 2 years ago

will it let you do rootless nfs mounts into the container? That's the showstopper for me, as that is by far the best way to just make this all work within the context of my file storage.

[+] lemmyvore@feddit.nl -13 points 2 years ago (3 children)

What is rootless bring brought up so much? It's a container, it's isolated from the host anyway, what does it matter what user runs inside? And if something breaks into the container they can trash the app in it and the shared volumes anyway, even if they're not root.

[–] azdle@news.idlestate.org 16 points 2 years ago* (last edited 2 years ago) (1 children)

Defense in depth. If something escapes the container it's limited to only what's under that user and not the whole system. Having access to the whole system makes it easier for malware to hide/persist itself.

[–] lemmyvore@feddit.nl -4 points 2 years ago (1 children)

Correct me if I'm wrong but containerization is enforced by the kernel, correct? If something escapes you're pretty much screwed anyway.

[–] Atemu@lemmy.ml 11 points 2 years ago

There are many layers involved in preventing escapes from containers.

[–] florian@lemmy.world 6 points 2 years ago

It depends on the use case. The most common security issue I have seen with docker is on Linux desktop systems: docker deamon runs as root and user wants to use it to test all kinds of containers. So they make the docker socket accessible to the user, to lazy to use "sudo docker" every time... Having access to the docker socket means having the same permissions as the one running the daemon: root . Your browser effectively now has root permissions. At this point you could just login as root to your desktop.

[–] worldofgeese@lemmy.world 4 points 2 years ago* (last edited 2 years ago)

There's real usability benefits too. I've collected some anecdotes from Reddit:

Rootless podman is my first choice for using containers now, it works fantastically well in my experience. It's so much nicer to have all my container related stuff like volumes, configs, the control socket, etc. in my home directory and standard user paths vs. scattered all over the system. Permission issues with bind mounts just totally disappear when you go rootless. It's so much easier and better than the root privileged daemon.

and,

If you are on Linux, there is the fantastic podman option "--userns keep-id" which will make sure the uid inside+the container is the same as your current user uid.+

and,

Yeah in my experience with rootless you don't need to worry about UID shenanigans anymore. Containers can do stuff as root (from their perspective at least) all they want but any files you bind mount into the container are still just owned/modified by your user account on the host system (not a root user bleeding through from the container).

finally,

The permissions (rwx) don't change, but the uid/gid is mapped. E.g. uid 0 is the running user outside the container, by uid 1 will be mapped to 100000 (configurable), and say 5000 inside the container is mapped to 105000. I don't remember the exact mapping but it works roughly like that.