←back to thread

I ditched Docker for Podman

(codesmash.dev)
1101 points codesmash | 2 comments | 05 Sep 25 11:56 UTC | HN request time: 0s | source
1. BinaryIgor ◴[05 Sep 25 16:56 UTC] No.45140771[source]
I certainly like demon-less architecture; much simpler and there are less potential security issues and no single point of failure.

The one thing I don't necessarily agree:

"Privileged ports in rootless mode not working? Good! That's security working as intended. A reverse proxy setup is a better architecture anyway."

I usually use Ngix as a reverse proxy - why not have it set up in the exact same way as the rest of your apps? That's a simplicity advantage. So with Podman, I would just run this one exact container in root mode - that's still better than all of them, but quite.

I am not a fan of docker-compose - a classic example of a tool trying to do too much for me, so the lack of something similar in Podman is not a drawback for me :)

Not sure about tooling around logs and monitoring though - there is plenty for Docker.

replies(1): >>45151386 #
2. chuckadams ◴[06 Sep 25 17:49 UTC] No.45151386[source]
Allowing binding to a privileged port should be as simple as adding CAP_NET_BIND_SERVICE to the process, most likely in a systemd unit file or something . I still suggest using a reverse proxy like nginx or traefik, so add the capability to those. There's no reason for the proxy to run as root.