←back to thread

I ditched Docker for Podman

(codesmash.dev)
1101 points codesmash | 3 comments | 05 Sep 25 11:56 UTC | HN request time: 0.733s | source
Show context
miki123211 ◴[05 Sep 25 15:37 UTC] No.45139800[source]
I've been dealing with setting up Podman for work over the last week or so, and I wouldn't wish that on my worst enemy.

If you use rootless Podman on a Redhat-derived distribution (which means Selinux), along with a non-root user in your container itself, you're in for a world of pain.

replies(13): >>45139949 #>>45139952 #>>45140035 #>>45140041 #>>45140112 #>>45140315 #>>45140558 #>>45140561 #>>45140736 #>>45140993 #>>45141204 #>>45141405 #>>45142506 #
thyristan ◴[05 Sep 25 16:21 UTC] No.45140315[source]
Yes, but the reason for that pain is SElinux. The first, second and third law of RedHat sysadmin work is "disable SElinux".
replies(1): >>45141180 #
1. preisschild ◴[05 Sep 25 17:31 UTC] No.45141180[source]
> The first, second and third law of RedHat sysadmin work is "disable SElinux".

Must not be a good sysadmin then. SELinux improves the security and software like podman can be relatively easily be made to work with it.

I use podman on my Fedora Workstation with selinux set to enforce without issues

replies(1): >>45147732 #
2. zelphirkalt ◴[06 Sep 25 09:03 UTC] No.45147732[source]
And now comes the part, where you link your guide how you set it up, please! I would like to try exactly that setup and OS. Have a Fedora VM here where I recently struggled with docker and Selinux.
replies(1): >>45151739 #
3. thyristan ◴[06 Sep 25 18:32 UTC] No.45151739[source]
Docker != podman. Entirely different.

With podman, RedHat made an effort to make SElinux work. With Docker, as third-party-software, no proper SElinux config was ever written. With Docker, there is no hope at all that you'd get SElinux to work.

With podman, there is hope, as long as all your containers and usecases are simple, "well-behaved" and preferrably also RedHat-based and SElinux-aware. In the easy cases, podman + SElinux will just work. But unfortunately, containers are the means to get crappy software running, where the developers were too lazy to do proper packaging/installation/configuration/integration. So most cases are not easy and will not work with SElinux, if you don't have infinite time to write your own config...