←back to thread

I ditched Docker for Podman

(codesmash.dev)
1101 points codesmash | 6 comments | 05 Sep 25 11:56 UTC | HN request time: 0.921s | source | bottom
1. Hizonner ◴[05 Sep 25 13:34 UTC] No.45138382[source]
I don't know how podman compares to docker in terms of performance, and I do know that rootless containers can be a real pain.

But Docker is simply a non-starter. It's based on a highly privileged daemon with an enormous, hyper-complicated attack surface. It's a fundamentally bad architecture, and as far as I've been able to tell, it also comes from a project that's always shown an "Aw, shucks" attitude toward security. Nobody should be installing that anywhere, not even if there weren't an alternative.

replies(3): >>45138412 #>>45141417 #>>45151417 #
2. matesz ◴[05 Sep 25 13:36 UTC] No.45138412[source]
Rootless containers are a pain but only on mac, otherwise it’s just pure upside.
3. causal ◴[05 Sep 25 17:48 UTC] No.45141417[source]
I generally find rootless pretty easy, it's just annoying that it's an additional few steps. Feels like an afterthought when it should be the default.
replies(1): >>45147163 #
4. phito ◴[06 Sep 25 06:43 UTC] No.45147163[source]
It's easy in theory. I'd say about 30% of my containers require root and just wouldn't work on Podman.
replies(1): >>45154389 #
5. sroerick ◴[06 Sep 25 17:54 UTC] No.45151417[source]
I could not agree more with this, and I am baffled by most of the tech scene's complete ignorance of security in this regard
6. Hizonner ◴[07 Sep 25 01:12 UTC] No.45154389{3}[source]
You can run containers as root under Podman. You just don't have to.