I’m very new to the land of Docker, and well behind those in the group who are working with Ansible and Kubernetes.
I’ve spent a bit of time at the workbench today, and for the PXE Boot wrap up, I installed Docker and followed the bouncing ball to get netboot.xyz running. I subsequently did a Debian 13 netinst on some other hardware, booting from the shiny new PXE setup, and started working on another project (not documented on this Discourse). For this second set of hardware, I opted for podman and podman-docker (my understanding of the latter is that it essentially symlinks stuff so things expecting Docker binaries work). No particular reason why - I just wanted to see if it was going to work and to try something different.
I understand that they’re both running OCI containers, and podman uses the same syntax (even more so with podman-docker installed).
I can see some discussion online about slightly different architecture, and podman being rootless, but that there’s also a way to run docker rootless as well. From the perspective of “homelabber wanting to pull a container off the internet and use it”, why would I pick one over the other? I see lots of discussion about Docker but not so much about podman. What’s the consensus from the HLB brains trust?
(P.S., sorry if I’ve just ignited a Ford vs. Holden type debate without realising it ).
The biggest issue wrt ‘Docker Security’ is actually that any user who has ‘docker’ capability effectively has root access to your host. Basically you can bind mount / (or maybe /etc/sudoers) into a container and then do whatever you want.
From an infrastructure-hosting perspective there’s really no reason to prefer one over the other. I still use a lot of Docker because the ‘docker socket’ can be very useful for stuff like traefik where you can read labels off containers and configure the reverse proxy. I love it, and the Podman support wasn’t quite there last time I checked (though they were working on it!)
At the end of the day, pretty much all of your containerisation contenders can use the OCI image format to run up a container (apptainer, docker, lxc, podman) and use the same kernel technologies to provide the isolation. Pick whatever sparks the most joy for you, or what you think is most suitable for your use case, unless that use case is ‘let random users run containers’ in which case consider any non-docker alternative.
Laziness is what keeps bringing me back to Docker.
Docker was “first to market” with what is in my humble opinion a rip off of BSD jails. The key issue as i understand it is that UID 0 inside the container is UID on the host too, so if you’re able to create a container and as @Kangie explained, mount / inside the container, you can start fiddling with /etc/passwd, etc.
Podman addresses this with remapping UIDs, which is where i get frustrated. One day i’ll play with it enough to get comfortable, but i usually get tangled up with permissions and go back to Docker because i can get a quicker result.
I think that Podman remaps UID 0 on the host to UID 1000 inside the container, Something like that. I know that the last time i played with podman i felt like i got a better result with adding :x to the end of bind mounts…
docker run -blah -blah -ti --rm -v /outside/blah:/inside:blah:x alpine:latest sh
I think that :x applies that UID switcheroo.
Should we do “getting started with containers” talks this month?
Almost immediately after I posted my original post I ran into a few weird issues that seemed to be permission related, and spent a little time trying to work through them (issues accessing /run?). I faffed about for a while and think I was bumping into a root vs. rootless issue using podman, because it seemed as if the particular container I was trying to run was also creating other containers, either via Docker-in-Docker or directly on the host. No idea, and it probably doesn’t matter all that much. I started again using Docker rather than podman, and everything just worked.
Yes, please. I’m in the “I don’t know what I don’t know” camp!
).