Our great sponsors
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
Moby
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
-
-
Nomad
Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
-
> root-less nature of podman
I see this repeated a lot, but it's not the default, its has to be explicitly configured: https://github.com/containers/podman/blob/v3.3.1/docs/tutori...
And in addition to the known upsides, there are some lesser known downsides:
1. There are feature limitations with it: https://github.com/containers/podman/blob/v3.3.1/rootless.md
2. There are security implications, quoting Arch Wiki:
> Warning: Rootless Podman relies on the unprivileged user namespace usage (CONFIG_USER_NS_UNPRIVILEGED) which has some serious security implications, see Security#Sandboxing applications for details.
Also worth noting that Docker itself has a rootless mode as well by now: https://docs.docker.com/engine/security/rootless/
I'm happy that there are Docker alternatives, but I have the feeling that podman has been hyped a lot recently and many articles and comments give the impression that it's more secure by default and without any downsides.
Good to know about the GUI!
> ETA: Oh hey here it is: https://github.com/heyvito/podman-macos
This GUI isn't an official Podman application. It's a third party. Not that it's bad or anything, it's just not official.
I love podman. When you write a file to a volume from a container, the user that spawned the container is the owner. This is exactly what you expect, but with Docker, everything is written as root. After many years, this has not been fixed in docker:
https://github.com/moby/moby/issues/2259
This has made it impossible to use docker in scripts where root access is not available. Thank you podman!
> For everything else...
Except for:
- Docker Compose (because podman-compose has a large amount of open issues https://github.com/containers/podman-compose/issues)
That does seem better! Of course, there are a few lingering issues with support, but overall the trend is good: https://github.com/containers/podman/issues?q=is%3Aissue+is%...
Of course, there's no Swarm support, as evidenced by that very article:
> Caveats
> One known caveat is that Podman has not and will not implement the Swarm function. Therefore, if your Docker Compose instance uses Swarm, it will not work with Podman.
Feels like people will either be pigeonholed into Kubernetes for all of their deployments, or will have to migrate over to something like Hashicorp Nomad: https://www.nomadproject.io/
Curiously, it also supports Podman as a task driver: https://www.nomadproject.io/docs/drivers/podman
