←back to thread

Podman Quadlets with Podman Desktop

(podman-desktop.io)
180 points teleforce | 10 comments | 14 Apr 25 17:16 UTC | HN request time: 0.944s | source | bottom
Show context
orthoxerox ◴[14 Apr 25 20:20 UTC] No.43685880[source]
What is the killer feature that will make me want to switch from Docker Compose to Podman Quadlets?
replies(7): >>43685989 #>>43685992 #>>43686728 #>>43687129 #>>43687706 #>>43688911 #>>43690483 #
eriksjolund ◴[14 Apr 25 20:32 UTC] No.43685992[source]
Podman quadlet supports "Socket activation of containers" https://github.com/containers/podman/blob/main/docs/tutorial... This allows you to run a network server with `Network=none` (--network=none). If the server would be compromised, the intruder would not have the privileges to use the compromised server as a spam bot. There are other advantages, such as support for preserved source IP address and better performance when running a container with rootless Podman + Pasta in a custom network.
replies(2): >>43687323 #>>43687533 #
1. anonfordays ◴[14 Apr 25 23:49 UTC] No.43687533[source]
What's old is new again. That's effectively how inetd worked circa 1986. The inetd daemon had some serious security vulnerabilities so the world move away from using "socket activated daemons" to having always listening services (performance reasons as well).
replies(2): >>43688098 #>>43689460 #
2. thwarted ◴[15 Apr 25 01:23 UTC] No.43688098[source]
inetd supported "socket activation" using the "wait" directive, where inetd would listen on the socket and then hand off the listening socket when there was activity as fd 0 where the server would need to call accept, and could continue to call accept for new connections, or exit when all clients were handled, and inetd would respawn when there was new pending connection on the listening socket.
3. rendaw ◴[15 Apr 25 06:05 UTC] No.43689460[source]
I never understood the use case for socket activation - is someone really running a web server that mixed workloads, long periods with no network traffic you'd rather prioritize something else, and a web server that's so resource intensive when not handling events it makes sense to stop it? Maybe desktop computers?

The security aspect is something new to me and I'm not sure if that applies to inetd/systemd socket services or if it's specifically a container thing.

Does anyone have more info on use cases for this?

replies(3): >>43689950 #>>43689968 #>>43691201 #
4. ratorx ◴[15 Apr 25 07:27 UTC] No.43689950[source]
> the security aspect

It’s not a systemd-specific thing, but systemd makes it relatively easy to drop privileges (like network in this case), whilst also allowing socket-activated services to be configured easily. You can probably achieve the same thing with inetd + network namespaces (I think this is what systemd uses under the hood)

replies(1): >>43690036 #
5. piaste ◴[15 Apr 25 07:30 UTC] No.43689968[source]
A public facing web server, I doubt it. But for a private one it can make a lot of sense - you are probably only using N services at a time, where N is the number of users.

As for what can be so resource intensive that it's worth to wait for startup time instead of running everything at the same time - a bunch of specialized LLMs is the obvious example. Or maybe you're a hobbyist cramming a hundred services into a tiny computer.

6. eriksjolund ◴[15 Apr 25 07:41 UTC] No.43690036{3}[source]
You can use the podman option `--network=none` together with the systemd directive `RestrictAddressFamilies=`

I wrote a demo: https://www.redhat.com/en/blog/podman-systemd-limit-access

Podman will then not have the privilege to pull the container image, but a web server container can still serve the internet with socket activation.

replies(1): >>43690339 #
7. rendaw ◴[15 Apr 25 08:30 UTC] No.43690339{4}[source]
What's the use case for that? Multitenant server web hosting where customers provide containers and you want to lock them down I guess? Mostly SaaS/PaaS?
replies(1): >>43691838 #
8. jbverschoor ◴[15 Apr 25 11:03 UTC] No.43691201[source]
On-demand applications. But the it should shut itself down after a while too.

It’s more useful for applications that keep open a connection for a while instead of stateless request/response architecture

9. eriksjolund ◴[15 Apr 25 12:36 UTC] No.43691838{5}[source]
I did it out of pure interest, just to explore ways of locking down a web server.
replies(1): >>43692560 #
10. rendaw ◴[15 Apr 25 13:40 UTC] No.43692560{6}[source]
Oh, fair enough! It is very cool, FWIW.