(podman-desktop.io)

180 points teleforce | 1 comments | 14 Apr 25 17:16 UTC | HN request time: 0.203s | source

Show context

orthoxerox ◴[14 Apr 25 20:20 UTC] No.43685880[source]▶

What is the killer feature that will make me want to switch from Docker Compose to Podman Quadlets?

replies(7): >>43685989 #>>43685992 #>>43686728 #>>43687129 #>>43687706 #>>43688911 #>>43690483 #

eriksjolund ◴[14 Apr 25 20:32 UTC] No.43685992[source]▶

Podman quadlet supports "Socket activation of containers" https://github.com/containers/podman/blob/main/docs/tutorial... This allows you to run a network server with `Network=none` (--network=none). If the server would be compromised, the intruder would not have the privileges to use the compromised server as a spam bot. There are other advantages, such as support for preserved source IP address and better performance when running a container with rootless Podman + Pasta in a custom network.

replies(2): >>43687323 #>>43687533 #

anonfordays ◴[14 Apr 25 23:49 UTC] No.43687533[source]▶

>>43685992 #

What's old is new again. That's effectively how inetd worked circa 1986. The inetd daemon had some serious security vulnerabilities so the world move away from using "socket activated daemons" to having always listening services (performance reasons as well).

replies(2): >>43688098 #>>43689460 #

1. thwarted ◴[15 Apr 25 01:23 UTC] No.43688098[source]▶

>>43687533 #

inetd supported "socket activation" using the "wait" directive, where inetd would listen on the socket and then hand off the listening socket when there was activity as fd 0 where the server would need to call accept, and could continue to call accept for new connections, or exit when all clients were handled, and inetd would respawn when there was new pending connection on the listening socket.

↑

Podman Quadlets with Podman Desktop