Most active commenters
  • pydry(11)
  • dharmab(3)
  • eriksjolund(3)
  • exceptione(3)
  • rendaw(3)
  • robertlagrant(3)

←back to thread

Podman Quadlets with Podman Desktop

(podman-desktop.io)
180 points teleforce | 55 comments | 14 Apr 25 17:16 UTC | HN request time: 0.461s | source | bottom
1. orthoxerox ◴[14 Apr 25 20:20 UTC] No.43685880[source]
What is the killer feature that will make me want to switch from Docker Compose to Podman Quadlets?
replies(7): >>43685989 #>>43685992 #>>43686728 #>>43687129 #>>43687706 #>>43688911 #>>43690483 #
2. dharmab ◴[14 Apr 25 20:32 UTC] No.43685989[source]
I prefer quadlet for 2 reasons:

1. Podman is simpler than Docker. There is no long-running daemon. Rootless is default.

2. Quadlets can be managed as systemd services, giving me the same tools to manage and view logs for system daemons and containers.

Quadlets have been especially nice for bundling up an AI app I wrote as a cloud-init file, making it easy to deploy the hardware, software and models as one artifact.

replies(2): >>43686670 #>>43687155 #
3. eriksjolund ◴[14 Apr 25 20:32 UTC] No.43685992[source]
Podman quadlet supports "Socket activation of containers" https://github.com/containers/podman/blob/main/docs/tutorial... This allows you to run a network server with `Network=none` (--network=none). If the server would be compromised, the intruder would not have the privileges to use the compromised server as a spam bot. There are other advantages, such as support for preserved source IP address and better performance when running a container with rootless Podman + Pasta in a custom network.
replies(2): >>43687323 #>>43687533 #
4. pydry ◴[14 Apr 25 21:46 UTC] No.43686670[source]
quadlets == systemd which requires root to run. this is NOT the same thing as "systemd cant run non root containers". OBVIOUSLY it can, just as docker can run non root containers.

Making systemd a necessary dependency to run > 1 container kinda negates many of the the nice advantages that podman has of not requiring root.

podman compose doesnt require root and would serve as a substitute but it's a very neglected piece of software.

replies(3): >>43686855 #>>43686924 #>>43686928 #
5. philips ◴[14 Apr 25 21:54 UTC] No.43686728[source]
I really like the user namespace handling `--user-ns=keep-id`. It makes it easy for me to create a new Linux user and then have that user run some container and have bind mounts, etc just work correctly. It is the least fuss way I have found of running little services that need access to the host filesystem.

https://docs.podman.io/en/latest/markdown/podman-run.1.html#...

6. zacwest ◴[14 Apr 25 22:12 UTC] No.43686855{3}[source]
You can do non-root systemd units, including Quadlets. See <https://docs.podman.io/en/latest/markdown/podman-systemd.uni...> under "Podman rootless unit search path."
replies(2): >>43686960 #>>43687008 #
7. voxadam ◴[14 Apr 25 22:21 UTC] No.43686924{3}[source]
systemd user units can be run by non-root users.

https://wiki.archlinux.org/title/Systemd/User

replies(1): >>43686977 #
8. exceptione ◴[14 Apr 25 22:21 UTC] No.43686928{3}[source]

  systemctl --user ...
replies(1): >>43693240 #
9. pydry ◴[14 Apr 25 22:26 UTC] No.43686960{4}[source]
you can run docker containers without them requiring root too.

systemd itself is a root service. it shouldnt be a necessary dependency to run > 1 containers without root. somehow it is.

10. pydry ◴[14 Apr 25 22:29 UTC] No.43686977{4}[source]
not the point as i mentioned above.

systemd itself requires root.

replies(3): >>43687015 #>>43687216 #>>43687686 #
11. znhll ◴[14 Apr 25 22:31 UTC] No.43687008{4}[source]
I recently started making the switch from docker (and docker compose) to using podman and quadlet, but holy crap is the documentation for podman quadlets a big f-you wall-of-text mandoc that would make Torvalds proud. I've read thru that and am still not quite sure of how to get from point A to point B.

To replace a single docker compose file, sounds like one needs to manually create a number of .container, .volume, .network, .kube files correctly so systemd can spin up a container pod? Is that what I'm reading? Is there nothing that can generate that from a docker-compose.yml?

replies(2): >>43687031 #>>43691422 #
12. voxadam ◴[14 Apr 25 22:32 UTC] No.43687015{5}[source]
Installing packages (like podman or moby/docker) using dnf and apt requires root as well, so I'm not sure what your point is.
replies(1): >>43687039 #
13. zacwest ◴[14 Apr 25 22:34 UTC] No.43687031{5}[source]
I've used Podlet <https://github.com/containers/podlet> somewhat successfully for this.
14. pydry ◴[14 Apr 25 22:36 UTC] No.43687039{6}[source]
making systemd - a root service - a necessary dependency in order to orchestrate > 1 nonroot containers is both unnecessary and bad architecture.

It was a shitty decision that renders it just "a less popular docker" and not "a better docker".

replies(2): >>43687114 #>>43687211 #
15. linuxandrew ◴[14 Apr 25 22:45 UTC] No.43687114{7}[source]
Podman doesn't have a dependency on systemd. e.g. it is packaged in Void Linux.

Podman has a better architecture than Docker in that it can easily run on a non-privileged user.

Quadlet (aka podman-systemd.unit) is a podman-systemd integration which can make it easy to launch and orchestrate podman containers via systemd. You can get all if the systemd dependency handling, require other units to run after a container finishes, and all sorts of other useful things. Systemd "user" units (systemctl --user) also works here with the containers running as a non-privileged user in a non-root systemd context.

Just to be clear, Quadlet is just an integration and you can still run podman without it. You can still run podman on non-systemd systems as well.

replies(2): >>43687516 #>>43689894 #
16. tiew9Vii ◴[14 Apr 25 22:47 UTC] No.43687129[source]
For local development I found no advantages, if anything I found it a little less convenient.

For servers where you don’t need the complexities of Kubernetes etc, using Quadlets is nice as you can manage containers as regular systemd services and no Docker daemon running as root.

17. steeleduncan ◴[14 Apr 25 22:51 UTC] No.43687155[source]
Podman seems to have lower memory overhead than Docker. I assume that is a consequence of your point 1
18. exceptione ◴[14 Apr 25 22:58 UTC] No.43687211{7}[source]
wut? Containers need an operating system.

systemd runs on a linux host, the rootless container runs on a linux host, controlled by `systemctl --user ...`.

replies(1): >>43725344 #
19. steeleduncan ◴[14 Apr 25 22:58 UTC] No.43687216{5}[source]
systemd is the init process, the Linux kernel non-optionally runs the init process as root
replies(1): >>43689906 #
20. infogulch ◴[14 Apr 25 23:15 UTC] No.43687323[source]
That's neat. Does it require 1 connection = 1 process to work? I don't see how you can have a long running server with this feature.
replies(2): >>43687543 #>>43687660 #
21. dharmab ◴[14 Apr 25 23:46 UTC] No.43687516{8}[source]
And you can use podman to run multiple containers together (as a Pod). With or without systemd.
22. anonfordays ◴[14 Apr 25 23:49 UTC] No.43687533[source]
What's old is new again. That's effectively how inetd worked circa 1986. The inetd daemon had some serious security vulnerabilities so the world move away from using "socket activated daemons" to having always listening services (performance reasons as well).
replies(2): >>43688098 #>>43689460 #
23. ◴[14 Apr 25 23:50 UTC] No.43687543{3}[source]
24. xyzzy_plugh ◴[15 Apr 25 00:08 UTC] No.43687660{3}[source]
No, the init process hands over the listener FD allowing the server to accept() connections.

You can also do 1 connection = 1 process, though, but it's absolutely not required nor particular common these days.

25. dharmab ◴[15 Apr 25 00:12 UTC] No.43687686{5}[source]
How were you planning to run podman compose without an init process running as root?
replies(1): >>43689997 #
26. scheme271 ◴[15 Apr 25 00:15 UTC] No.43687706[source]
The biggest one is probably that podman runs as a user and doesn't need suid normally. So you can run services and have more assurances that container breaches won't give someone root on your system.
27. thwarted ◴[15 Apr 25 01:23 UTC] No.43688098{3}[source]
inetd supported "socket activation" using the "wait" directive, where inetd would listen on the socket and then hand off the listening socket when there was activity as fd 0 where the server would need to call accept, and could continue to call accept for new connections, or exit when all clients were handled, and inetd would respawn when there was new pending connection on the listening socket.
28. jabl ◴[15 Apr 25 04:11 UTC] No.43688911[source]
For a docker-compose replacement you should probably look at the 'podman kube' support. That supports a subset of the kubernetes API that roughly matches the docker-compose features.

Then for deployment to a Kubernetes cluster you can reuse your podman kube yaml.

For deployment to a single machine where the full Kubernetes is overkill, you can use the podman quadlet support. Quadlets support a "[Kube]" section where you can point to the yaml file, so you don't have to write all your port and volume etc mappings again in a slightly different syntax.

29. rendaw ◴[15 Apr 25 06:05 UTC] No.43689460{3}[source]
I never understood the use case for socket activation - is someone really running a web server that mixed workloads, long periods with no network traffic you'd rather prioritize something else, and a web server that's so resource intensive when not handling events it makes sense to stop it? Maybe desktop computers?

The security aspect is something new to me and I'm not sure if that applies to inetd/systemd socket services or if it's specifically a container thing.

Does anyone have more info on use cases for this?

replies(3): >>43689950 #>>43689968 #>>43691201 #
30. pydry ◴[15 Apr 25 07:17 UTC] No.43689894{8}[source]
>Podman doesn't have a dependency on systemd

Just to be clear we're talking about QUADLETS, red hat's recommended way to orchestrate containers.

>Just to be clear, Quadlet is just an integration and you can still run podman without it.

Just to be clear, nobody was unclear about that.

It is, just to be clear, red hat's recommended way to orchestrate podman containers despite having this nasty dependency analogous to the one docker has on a root service.

Hope that helps.

replies(1): >>43691517 #
31. pydry ◴[15 Apr 25 07:20 UTC] No.43689906{6}[source]
yeah thats what i said.

and that particular init process did way more than any init process ever should even before somebody had the bright idea to add "docker compose substitite" to its ever growing list of responsibilities.

you could put a word processor and games in their too if you really wanted. is that a good idea? ill leave that for the reader's judgment.

replies(2): >>43690004 #>>43690583 #
32. ratorx ◴[15 Apr 25 07:27 UTC] No.43689950{4}[source]
> the security aspect

It’s not a systemd-specific thing, but systemd makes it relatively easy to drop privileges (like network in this case), whilst also allowing socket-activated services to be configured easily. You can probably achieve the same thing with inetd + network namespaces (I think this is what systemd uses under the hood)

replies(1): >>43690036 #
33. piaste ◴[15 Apr 25 07:30 UTC] No.43689968{4}[source]
A public facing web server, I doubt it. But for a private one it can make a lot of sense - you are probably only using N services at a time, where N is the number of users.

As for what can be so resource intensive that it's worth to wait for startup time instead of running everything at the same time - a bunch of specialized LLMs is the obvious example. Or maybe you're a hobbyist cramming a hundred services into a tiny computer.

34. pydry ◴[15 Apr 25 07:35 UTC] No.43689997{6}[source]
what else would you like to bundle in the init process? docker compose as well? maybe kubernetes too. a webserver? a word processor perhaps? maybe an email client?
replies(2): >>43691084 #>>43691476 #
35. ratorx ◴[15 Apr 25 07:36 UTC] No.43690004{7}[source]
systemd just provides the feature to use a custom external application to configure a service based on a declarative spec, which podman uses to create actual systemd services from a declarative container spec.

From the podman docs:

> Podman supports building and starting containers (and creating volumes) via systemd by using a systemd generator.

Putting aside all the other issues one may have with systemd, this feels like a decent feature for a service manager to have (custom generation of service specifications).

> bright idea to add “Docker compose substitute”

Why is this so revolutionary? Docker-compose is just a service manager for containers. Systemd is a service manager. Systemd allowing podman to give it “container” features seems pretty reasonable.

36. eriksjolund ◴[15 Apr 25 07:41 UTC] No.43690036{5}[source]
You can use the podman option `--network=none` together with the systemd directive `RestrictAddressFamilies=`

I wrote a demo: https://www.redhat.com/en/blog/podman-systemd-limit-access

Podman will then not have the privilege to pull the container image, but a web server container can still serve the internet with socket activation.

replies(1): >>43690339 #
37. rendaw ◴[15 Apr 25 08:30 UTC] No.43690339{6}[source]
What's the use case for that? Multitenant server web hosting where customers provide containers and you want to lock them down I guess? Mostly SaaS/PaaS?
replies(1): >>43691838 #
38. discardable_dan ◴[15 Apr 25 08:52 UTC] No.43690483[source]
And why are they called quadlets?
39. xienze ◴[15 Apr 25 09:09 UTC] No.43690583{7}[source]
> before somebody had the bright idea to add "docker compose substitite" to its ever growing list of responsibilities.

systemd itself isn’t acting as a docker-compose substitute. Podman simply translates unit files containing docker-esque configuration (image name, volumes, etc.) into plain systemd unit files that contain (among other things) an ExecStart line that starts the container with the proper arguments.

40. robertlagrant ◴[15 Apr 25 10:45 UTC] No.43691084{7}[source]
Podman compose isn't bundled in the init process.
replies(1): >>43692093 #
41. jbverschoor ◴[15 Apr 25 11:03 UTC] No.43691201{4}[source]
On-demand applications. But the it should shut itself down after a while too.

It’s more useful for applications that keep open a connection for a while instead of stateless request/response architecture

42. worewood ◴[15 Apr 25 11:46 UTC] No.43691422{5}[source]
I agree. That documentation really needs some love. But if you see the discussions on github issues about quadlet features a common theme is maintainers dismissing requests because "that shouldn't be done in production" or "that won't scale". It seems they can't wrap their head around people wanting to do simple things or someone doing things by themselves at home and not for work at a big company or corporation, and that reflects on that documentation.

Working for one myself, which does have a support contract wit Red Hat, I kinda get where they're coming from--if they make it easy to shoot yourself in the foot, dumb people shoot themselves in the foot in production and they have to fix the mess later. But for that they could have a sanctioned build for clients and a community build for everybody else, just like they have Fedora and RHEL.

43. coldtea ◴[15 Apr 25 11:54 UTC] No.43691476{7}[source]
>what else would you like to bundle in the init process? docker compose as well?

You can complain that you don't liken systemd's design or that it does too much (very overplayed complaint, but ok).

But that's an orthogonal point to the initial complaint you've made that it's somehow bad that this requires systemd to run.

That complain is moot, since you'd be running systemd anyway, with or without those containers. And it's double moot, because you can run > 1 containers (with podman) without root too.

(It's also wrong that systemd was added container compose capabilities - podman is what translates things to systemd "speak")

replies(1): >>43692037 #
44. coldtea ◴[15 Apr 25 12:00 UTC] No.43691517{9}[source]
>Just to be clear, nobody was unclear about that

Oh, you were quite unclear. Also wrong in saying you need systemd with podman to orchestrate multiple containers without root.

>It is, just to be clear, red hat's recommended way to orchestrate podman containers despite having this nasty dependency analogous to the one docker has on a root service.

It's not "red hat's recommended way to orchestrate podman containers" in general. It's "red hat's recommended way to orchestrate containers on top of systemd", that its whole point.

Nothing nasty about it either, you'd already be running systemd on your redhat system (and many non red-hat ones).

replies(1): >>43696520 #
45. eriksjolund ◴[15 Apr 25 12:36 UTC] No.43691838{7}[source]
I did it out of pure interest, just to explore ways of locking down a web server.
replies(1): >>43692560 #
46. pydry ◴[15 Apr 25 12:59 UTC] No.43692037{8}[source]
>You can complain that you don't liken systemd's design or that it does too much (very overplayed complaint, but ok).

It's not at all orthogonal. Making the "default" way to run > 1 containers together require the init process is fucking stupid.

Similar to how requiring ROOT to run containers was a stupid design decision made by docker.

This decision to make quadlets the "default podman orchestrator" and to double down on it relegates podman from being "a better docker" to just "docker just with different design mistakes".

>That complain is moot, since you'd be running systemd anyway

false. systemd is not the only pid 1 in existence (much as it likes to pretend it is). when you run a container inside a container there also isn't a systemd.

>And it's double moot, because you can run > 1 containers (with podman) without root too.

except there is NO good orchestration system for doing that. podman compose is a steaming pile of shit. quadlets requires systemd which requires root. docker compose requires a root service. you can run podman compose inside a container but not quadlets.

might as well just use docker at this rate.

>That complain is moot

Your comment comprehensively missed my point 3 times. It's triple moot. It would have been better left unmade.

47. pydry ◴[15 Apr 25 13:04 UTC] No.43692093{8}[source]
Yep, but have you used it? It's crap. It implements about half of what docker compose does.

I'd stop complaining about quadlets being a hunk of crap if podman compose were decently maintained.

replies(1): >>43692555 #
48. robertlagrant ◴[15 Apr 25 13:40 UTC] No.43692555{9}[source]
I'm contesting your claim that podman compose is bundled with systemd.
replies(1): >>43694811 #
49. rendaw ◴[15 Apr 25 13:40 UTC] No.43692560{8}[source]
Oh, fair enough! It is very cool, FWIW.
50. guilhas ◴[15 Apr 25 14:27 UTC] No.43693240{4}[source]
That still depends on systemd, the most privileged deamon in many distros

But it is fun to see the marketing 360

replies(1): >>43697800 #
51. pydry ◴[15 Apr 25 16:04 UTC] No.43694811{10}[source]
I never made this claim.
replies(1): >>43702981 #
52. pydry ◴[15 Apr 25 18:15 UTC] No.43696520{10}[source]
>Also wrong in saying you need systemd with podman to orchestrate multiple containers without root

I explicitly said thay it wasnt needed and that there werent other ways just that it was the recommended way.

>It's not "red hat's recommended way to orchestrate podman containers

It is.

53. exceptione ◴[15 Apr 25 20:11 UTC] No.43697800{5}[source]
Cool, so no PID Eins. I have no shares in systemd, so fine. What do you propose?
54. robertlagrant ◴[16 Apr 25 08:35 UTC] No.43702981{11}[source]
So what was this about? What's the thing that the "else" refers to?

> what else would you like to bundle in the init process? docker compose as well? maybe kubernetes too. a webserver? a word processor perhaps? maybe an email client?

55. esseph ◴[18 Apr 25 05:43 UTC] No.43725344{8}[source]
But you don't understand, it also needs an operating system therefore it is vulnerable, because things on it run as root! /s