←back to thread

I ditched Docker for Podman

(codesmash.dev)
1101 points codesmash | 5 comments | 05 Sep 25 11:56 UTC | HN request time: 0.033s | source
Show context
miki123211 ◴[05 Sep 25 15:37 UTC] No.45139800[source]
I've been dealing with setting up Podman for work over the last week or so, and I wouldn't wish that on my worst enemy.

If you use rootless Podman on a Redhat-derived distribution (which means Selinux), along with a non-root user in your container itself, you're in for a world of pain.

replies(13): >>45139949 #>>45139952 #>>45140035 #>>45140041 #>>45140112 #>>45140315 #>>45140558 #>>45140561 #>>45140736 #>>45140993 #>>45141204 #>>45141405 #>>45142506 #
1. ThatMedicIsASpy ◴[05 Sep 25 17:47 UTC] No.45141405[source]
SELinux has good errors and all I usually need is :z and :Z on mounts
replies(1): >>45141515 #
2. gm678 ◴[05 Sep 25 17:57 UTC] No.45141515[source]
Can confirm, have been doing exactly what GP says is a world of pain with no problems as soon as I learned what `:z` and `:Z` do and why they might be needed.

A good reference answer: https://unix.stackexchange.com/questions/651198/podman-volum...

TL;DR: lowercase if a file from the host is shared with a container or a volume is shared between multiple containers. Uppercase in the same scenario if you want the container to take an exclusive lock on the volumes/files (very unlikely).

replies(1): >>45147704 #
3. zelphirkalt ◴[06 Sep 25 08:56 UTC] No.45147704[source]
How do I make it :ro then? For example it is a good practice to mount config files as readonly. But if I have to use :z, I think I cannot use :ro?
replies(1): >>45147887 #
4. gausswho ◴[06 Sep 25 09:38 UTC] No.45147887{3}[source]
:ro,z
replies(1): >>45147945 #
5. zelphirkalt ◴[06 Sep 25 09:51 UTC] No.45147945{4}[source]
Ah, I never knew this is possible. Thank you!