←back to thread

Red Hat to contribute container tech (Podman, bootc, ComposeFS...) to CNCF

(www.redhat.com)
272 points twelvenmonkeys | 4 comments | 14 Nov 24 17:59 UTC | HN request time: 0s | source
Show context
xer0x ◴[14 Nov 24 18:22 UTC] No.42139358[source]
What took them so long?
replies(2): >>42139403 #>>42139529 #
nijave ◴[14 Nov 24 18:37 UTC] No.42139529[source]
My take was they sort of dug in said "Docker isn't made right for Linux, we're reinventing it"

On Fedora w/ SELinux that led to quite a bit of compatibility issues for a while with lots of quirky things that didn't behave the same.

I think their implementations have gotten pretty stable and improved in compatibility since then

replies(1): >>42139632 #
2OEH8eoCRo0 ◴[14 Nov 24 18:44 UTC] No.42139632[source]
That's my take as well. Red Hat's design choices fit into Linux much more neatly. Docker has always been rubbish with late cgroups v2 support, punching holes in my firewall, no rootless, etc.
replies(1): >>42139891 #
1. mmh0000 ◴[14 Nov 24 19:04 UTC] No.42139891[source]
> punching holes in my firewall

I teach various Linux training courses. One of which is Containers. It always shocks several people per-class how Docker just blatantly ignores and rewrites existing firewall rules. And there's no real option to prevent that unless you want to manually configure ALL network routing.

For me personally, that was one of the big issues the pushed me over to Podman.

Also, Docker's insistence on "forcing" and preventing the disabling of using the malware-ridden Docker Hub didn't help me appreciate their security practices.[]

[]

https://jfrog.com/blog/attacks-on-docker-with-millions-of-ma...

https://www.infosecurity-magazine.com/news/malicious-contain...

https://www.bleepingcomputer.com/news/security/millions-of-d...

https://www.bleepingcomputer.com/news/security/docker-hub-re...

https://sysdig.com/blog/analysis-of-supply-chain-attacks-thr...

... ETC ...

replies(3): >>42140120 #>>42141051 #>>42143434 #
2. hughesjj ◴[14 Nov 24 19:26 UTC] No.42140120[source]
I want to switch to podman. What are the general gotchas and difficulties you could see in doing that for multi architecture+os builds/deployments?
3. xelamonster ◴[14 Nov 24 20:48 UTC] No.42141051[source]
You might just be convincing me to switch, I generally love docker and compose but the firewall thing still blows my mind and that there still just is not a solution.

My workaround has been to bind all docker port forwards to localhost and only ever expose them externally via reverse proxy. Which is annoying because that means I can't run the reverse proxy itself in docker.

4. justinclift ◴[15 Nov 24 02:27 UTC] No.42143434[source]
> It always shocks several people per-class how Docker just blatantly ignores and rewrites existing firewall rules.

Yeah. Many times I've mentioned that to people, and they just don't believe it's a thing which Docker does. Including here on HN. :/