I am moving from docker to podman and selinux because I thought that podman is more secure and hence, the future. I thought the transition will be somewhat seamless. I even prepaired containers but once I migrated I still ran into issues.
minor issue: it's podman-compose instead of podman compose. The hyphen feels like a step back because we moved from docker-compose to docker compose. But thT's not a real issue.
podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.
Spinning up fresh services works most of the time but using old services that worked great with docker are a pain. I am wasting minutes after minutes because I struggle with permissions and other weird issues.
podman can't use lower number ports such that you have to map the ports outside of the machine and forward them properly.
Documentation and tutorials are "all" for docker. Github issues are "all" for docker. There isn't a lot of information floating around.
I'm still not done and I really wonder why I should move forward and not go back to docker. Painful experience so far. https://linuxhandbook.com/docker-vs-podman/ and following pages helped me a lot to get rid of my frustration with podman.
Writing systemd services for your containers is something yoully have to get used to with podman, pretty much. It's actually very easy with the built in command "podman generate systemd", so you can just do something like " podman generate systemd --name my-container > /etc/systemd/system". I much prefer managing my containers with systemd over the docker daemon. It's nice!
Also, podman can use privileged ports as root, right?
podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.
I have not yet tried podman, but I know that
podman-compose
used to have an option to generate systemd units for your pods: https://docs.podman.io/en/latest/markdown/podman-generate-systemd.1.htmlStill, that option has been deprecated in favour of Podman Quadlet https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
minor issue: it’s podman-compose instead of podman compose. The hyphen feels like a step back because we moved from docker-compose to docker compose. But thT’s not a real issue.
podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.
I'm also currently migrating all of my self-hosted services from docker to podman. Look into using Quadlet and systemd rather than podman-compose: https://www.redhat.com/sysadmin/quadlet-podman
Your Quadlet
.container
files will end up looking very similar to your docker compose files. Podman will automatically generate a systemd service unit for you if you drop the.container
file in your user systemd unit directory ($HOME/.config/containers/systemd/) and runsystemctl --user daemon-reload
. Then starting the container on boot is as simple assystemctl --user enable --now containername.service
.This will not solve your rootful vs. rootless issues, as others have pointed out, but Quadlet/systemd is nice replacement for the service/container management layer instead of docker-compose/podman-compose
For the low-port issue, maybe try something like how K8S tends to handle it:
- One container that is either rootful or allowed to use low ports. Run a reverse proxy like HAProxy or Envoy in this.
- All other containers for services, run on high ports, pointing to them in the reverse proxy container's config.
- Don't use bare http, unless required. Getting valid TLS certs is dead easy and free with LetsEncrypt.
Yeah, podman's networking approach sent me back to docker as well. I have a bunch of services that don't even expose their ports to the local network, they just connect to each other, and only the reverse proxy is exposed. Switching to podman would require me to reconfigure all my port mappings to make sure there aren't any conflicts, and then update all the references. It's not a ton of work, but enough to keep me on docker for the time being.
edit: It looks like podman's networking stack has changed since I used it, so this is almost certainly wrong now
Is there a difference between networking approaches?
With rootful podman containers the only difference I noticed is that bridge networks aren't isolated by default.
Why would you need to reconfigure the port mappings?
Tbh it's possible I messed something up, iirc the bridge network I was using wouldn't work, and it seemed like it would only work in host mode, hence the belief that I needed to remap things. This was over a year ago, and tbh I didn't try very hard to make it work.