Dependencies within unrelated projects (ie, sharing a single database container for a few unrelated apps) is something that would be pretty handy, and is missing from compose.
Auto-updates are cool - but also dangerous… I think there’s something in running watchtower manually like I have been - when something breaks straight after, I know the cause.
Couldn’t you just create a compose file for a database separately?
I don’t really understand what you’re suggesting. Having a seperate compose file for your database would “work”, but you’d lack any of the dependency handling.
Oh, well that’s simple…
Any time I always read how to accomplish something in podman-land , the action takes like 5 extra steps compared to docker, is probably an experimental feature that’s not supported and is always from a non-official source or some random blog.
I use podman because it’s more secure. I’m willing to put in the extra effort so that all my services aren’t running as root. If it turns out a vulnerability is discovered in lemmy tomorrow that allows people to access my server through my lemmy container, the attacker will only have access to a dummy account that hosts my containers. Yes, they could stop all my containers, but they can’t delete the volumes or any other data on my server.
Podman might have a “more secure” design but you can run the docker daemon as rootless. Podman itself is not immune to vulnerabilities and will not solve all your security problems.
Don’t let perfection be the enemy of good. Security is not all or nothing. Reducing the attack surface is still important.
Can you elaborate on running docker daemon as rootless? It’s my understanding that you can add your account to a group to access the docker daemon rootless, but the containers are still running as root, as the daemon itself raises the access to root.
Not sure relying on podman alone as a security tool might be advisable. Podman is a container technology first, security is not the main goal.
Read more about rootless docker here.
I never said I was relying on it alone. Not sure why you think that.
That’s a great link. Thank you for sharing. It’s good that docker supports this functionality now.
I never said I was relying on it alone. Not sure why you think that.
…
…all my services aren’t running as root.
If it turns out a vulnerability is discovered in lemmy tomorrow that allows people to access my server through my lemmy container, the attacker will only have access to a dummy account that hosts my containers.
This was your argument according to you for why you think podman is more secure (than docker I presume). Seemed to imply rootless podman will save you from an attacker. I was simply disproving the flawed notion.
I think you’re interpreting too much. Security is about layers and making it harder for attackers, and that’s exactly what using a non-root user does.
In that scenario, the attacker needs to find and exploit another vulnerability to gain root access, which takes time - time which the attacker might not be willing to spend and time which you can use to respond.
Honestly, this is kinda making me wanna redeploy a couple app stacks I have on a VPS. Hmm.
Interesting. But what If I’m not using CoreOS? Also RedHat fucked up by using YAML for configuration.
What is wrong with YAML for configuration? It is much more easy to read then say json.
There is some surprising behavior with some of the features of yaml, mostly arising from the fact that it looks nice to read. Here’s a list of things that you can avoid to avoid a lot of the pitfalls: https://hitchdev.com/strictyaml/why/ . I haven’t actually used strictyaml, but the arguments it presents are pretty solid and some are things I’ve run into in real environments
JSON was never meant for configuration.
YAML has a ton of footguns.
YAML is way too bloated of a standard and has a ton of inconsistencies between implementations, despite the widespread reputation of simplicity. It is easy to read as long as you limit yourself to a fraction of its capabilities and err on the side of caution when it comes to escaping characters (especially when number literals are involved, or booleans for that matter). As far as alternatives go, I prefer TOML for simple key=value configs, but it has its own issued and is nowhere near as featureful, for better or worse.
If you’re just reading configs then yeah, it’s superior. If you’re maintaining big complex configurations, possibly for multiple machines, you need something to reduce boilerplate. Jsonnet, nickel or nix are excellent here. So the best way is to use one of those, generate yaml, and deploy. Saves you a lot of headaches but it’s one more moving thing in your pipeline which can break.
what if I’m not using CoreOS?
Podman runs on any distro (or more strictly: any distro that uses systemd). It’s essentially a FOSS alternative to Docker.
…except I can run Docker anywhere. It’s not tied to systemd. These quadlets seem like a very systemd-specific thing. Which is great if you’re building everything around systemd but it’s a niche.
systemd [is] a niche
Maybe in the wider world of all the operating systems installed on all the computers, but for Linux-based computing it is, like it or not, near ubiquitous these days. And in particular for server systems (and this is, after all, /m/selfhosted), good luck finding something that isn’t systemd-based unless you’re deliberately choosing a BSD or aiming for a system which has ever-decreasing amounts of support available.
This being selfhosted is exactly the reason I would’ve expected people to be aware there’s more variety out there. systemd is not as ubiquitous as you make it sound.
Secondly, tying your containerization solution into your init system is a spectacularly bad idea. You could already tie containers into systemd units, quadlets just make it easier; but the best practice advice is to not do it at all. You have a restart policy built into docker/podman for a reason. Let the init system deal with podman/docker itself, and let podman/docker manage their containers.
Third, the article title is misleading; if anything it should say quadlets made them give up podman-compose, not docker-compose. There’s no reason to reference docker in this article — unless you’re doing it for the views.
It’s built into Podman 4.x, so you can easily install it on any distro (with Systemd).