I am moving from docker to podman and selinux because I thought that podman is more secure and hence, the future. I thought the transition will be somewhat seamless. I even prepaired containers but once I migrated I still ran into issues.
minor issue: it’s podman-compose instead of podman compose. The hyphen feels like a step back because we moved from docker-compose to docker compose. But thT’s not a real issue.
podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.
Spinning up fresh services works most of the time but using old services that worked great with docker are a pain. I am wasting minutes after minutes because I struggle with permissions and other weird issues.
podman can’t use lower number ports such that you have to map the ports outside of the machine and forward them properly.
Documentation and tutorials are “all” for docker. Github issues are “all” for docker. There isn’t a lot of information floating around.
I’m still not done and I really wonder why I should move forward and not go back to docker. Painful experience so far. https://linuxhandbook.com/docker-vs-podman/ and following pages helped me a lot to get rid of my frustration with podman.
Podman is great, but a lot of confusion arise from the rapid development the last ~year and the fact that different distros have relatively old versions in their repos.
I recommend using the latest Fedora Server and defining your containers as quadlets. Also, on Fedora, yoi can install Cockpit (and cockpit-podman) and get a decent webgui to manage your host and container.
I should just write a blog post about this instead of typing this up on my phone in bed 😆
You must have been expecting philadelphia
Writing systemd services for your containers is something yoully have to get used to with podman, pretty much. It’s actually very easy with the built in command “podman generate systemd”, so you can just do something like " podman generate systemd --name my-container > /etc/systemd/system". I much prefer managing my containers with systemd over the docker daemon. It’s nice!
Also, podman can use privileged ports as root, right?
Regarding the low port number thing, that’s just a consequence of not running as root. By default, regular users can’t listen on ports below 1000.
1024
You are correct. I’m as bad as hard drive manufacturers.
Well hard drive manufacturers are actually correct. A gigabyte (GB) is in base 10 and thus 1000 megabytes, not 1024. Gibibytes (GiB) are base 2 (hence “bi”) and thus 1024 mebibytes.
Almost all of your problems are because you aren’t running as root. These aren’t bugs. They seem like a pain because you’re transitioning from Docker which runs as root (which is ABSOLUTELY INCORRIGIBLE in my opinion).
SELinux is a different story though. Now that’s a hard to tame beast. Things go wrong easily if you don’t know what you’re doing.
I suggest researching more before jumping off into a new technology, you seem like you weren’t anticipating some of these problems which adds to the frustration.
Your issues stem from going rootless. Podman Compose creates rootless containers and that may or may not be what you want. A lot more configuration needs to be done to get rootless containers working well for persistent services that use low ports, like enabling linger for specific users or enabling low ports for non-root users.
If you want the traditional Docker experience (which is rootful) and figure out the migration towards rootless later, I’d recommend the following:
- Install
podman-docker
. This provides a seamless Docker compatibility layer for podman, allowing you to even use regular docker commands that get translated behind the scenes into Podman. - Install regular
docker-compose
. This will work viapodman-docker
and gives you the native docker compose experience. - Enable
podman.socket
andpodman-restart.service
. First one socket-activates the central Podman daemon, second one restarts any podman containers with arestart-policy
ofalways
on boot. - Run your docker-compose commands using
sudo
, sosudo docker-compose up -d
etc. You can run this withsudo podman compose
as well if you’re allergic to hyphenation. Podman allows both rootful and rootless containers and the way you choose is by running the commands withsudo
or not.
This gets you to a very Docker-like experience and is what I am currently using to host my services. I do plan on getting familiar with rootless and systemd services and Kubernetes files, but I honestly haven’t had the time to figure all that out yet.
thank you!
Enable podman.socket and podman-restart.service. First one socket-activates the central Podman daemon, second one restarts any podman containers with a restart-policy of always on boot.
Thanks, the last time I checked I was told that creating individual systemd services was the only viable solution and I ended up ditching podman because I didn’t think it was worth the hassle. I might try it again with your tips.
Definitely not necessary. If that was the case, it wouldn’t live up to it’s claims of being a transparent Docker replacement at all. I think you do need to use systemd if you want to go full rootless, but I haven’t tried it enough to make a solid call on that.
But yeah, with the above steps, I’ve moved seamlessly over to Podman for my self hosting stack and I’ve never looked back. It’s also great because I can take literally any Docker Compose I find on the Internet and it will most likely just work.
- Install
Podman is not hard. Read about :z for volumes/binds and maybe use podlet (https://github.com/podium-lib/podlet) for easier systemd services generation.