←back to thread

I ditched Docker for Podman

(codesmash.dev)
1101 points codesmash | 4 comments | 05 Sep 25 11:56 UTC | HN request time: 0s | source
Show context
miki123211 ◴[05 Sep 25 15:37 UTC] No.45139800[source]
I've been dealing with setting up Podman for work over the last week or so, and I wouldn't wish that on my worst enemy.

If you use rootless Podman on a Redhat-derived distribution (which means Selinux), along with a non-root user in your container itself, you're in for a world of pain.

replies(13): >>45139949 #>>45139952 #>>45140035 #>>45140041 #>>45140112 #>>45140315 #>>45140558 #>>45140561 #>>45140736 #>>45140993 #>>45141204 #>>45141405 #>>45142506 #
1. prmoustache ◴[05 Sep 25 15:58 UTC] No.45140035[source]
How so? I have been using exlusively podman on Fedora for the most part of the last 7 years or so.
replies(1): >>45140335 #
2. goku12 ◴[05 Sep 25 16:22 UTC] No.45140335[source]
That surprises me too. Podman is spearheaded by Redhat and Fedora/RHEL was one of the earliest distros to adopt it and phase out docker. Why wouldn't they have the selinux config figured out?
replies(1): >>45140721 #
3. znpy ◴[05 Sep 25 16:51 UTC] No.45140721[source]
They have.

Most likely gp is having issues with volumes and hasn’t figured out how to mix the :z and :Z attribute to bind mounts. Or the containers are trying to do something that security-wise is a big no-no.

In my experience SELinux defaults have been much wiser than me and every time i had issues i ended up learning a better way to do what i wanted to do.

Other than that… it essentially just works.

replies(1): >>45147689 #
4. zelphirkalt ◴[06 Sep 25 08:53 UTC] No.45147689{3}[source]
I personally like the verbose notation for docker volumes in docker compose files, where source and target are separate attributes in the YAML file. Not all munged into one long string, and unable to specify the type of mount explicitly. But that notation does not support stating the :z or :Z. I am running a Debian most of the time to develop and had no issue with the docker bind mounts, but on Fedora Selinux messed things up and I would get strange permission denied errors in the container for bind mounted config files. So I would have to change my docker compose file just for Fedora and Selinux. I think I even tried it with one of z: or Z:, but still Selinux interfered. At some point I had the choice of burning many more hours into configuring Selinux, disable Selinux, or reinstall docker as root. Since the Fedora OS is merely a VM, I chose to install Docker as root.

My point is: If figuring things out with podman is similar to my experience, I understand why people don't want to do that. Do they have a definitive page dedicated to setting up Selinux for podman, that is well maintained and guaranteed to solve all Selinux issues, and allows me to use bind mounts with readonly permission?