A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
One of the main advantage of podman is that, it respects the firewall rules. Docker don't do that. Also having rootless podman means if somehow the container went rogue, it cannot have access to your root directory and perform malicious actions.
Also podman is a drop in replacement for docker. It does not need much configurations to setup. If you need compose, you might need to install podman-compose as well.
How would a rogue container be able to access the root directory of the host? Wouldn't it just be able to access the data on the docker volumes? Thank you.
In an ideal world, sure, but all software has bugs (example vulnerabilities here). Proper security design doesn't ask "how can X happen?" but "what if X happens?" If you break out of a docker container, you have root access to the system because the docker daemon runs as root.
With podman, there is no root docker daemon, so you'd also need privilege escalation in addition to breaking out of the container.
~~With root permission you can do chroot.~~
Edit, I did some digging and found that its not the normal files that they can access but can modify kernel parameters and can mount devices and access their files etc. If you want to learn more check https://stackoverflow.com/questions/36425230/privileged-containers-and-capabilities
Can you provide the required arguments for chroot? I've just opened the bash shell of a running container (docker exec -it mycontainer bash) and tried to "break out" using "chroot /". I can't access any files of the host.
I always hear podman is a drop in replacement, but every time I try most of my stack doesn't work. Permissions seem to be the issue most of the times, even when I create new volumes. I will try again in a few years probably, but I'm not holding my breath
Look into podman quadlets. Its containers as systemd services, and its excellent. They run as root by default, but can be run at a user level pretty easily. Ive had no permissions issues as long as you define the user/group in the config and ensure they habe the correct rights to the required folders.
It does take translation from docker compose files, but it's entirely doable. Most of the environmental variables translate straight across.
You need to add :Z to the end of your volume lines, or lowercase z for shared volumes.
I'm running 50+ containers, probably most of the popular ones, and all working fine.
You made me try again, and I again failed. For example, Navidrome has this issue: https://github.com/navidrome/navidrome/issues/2967
It seems aside from :z i have to remap the user namespace, which I remember trying in the past too and getting mixed results (some worked, some still didn't). I get this is not a podman issue (also affects rootless docker), but given the default behavior of docker is root, I am not having this issue.
The others didn't seem to fail at creation, which is a good thing, but I recall some had issues interacting with each other (files created by one not being readable by another and such). Might try with some other navidrome image (or equivalent subsonic server) but unless it's as easy as adding :z, I don't think ill be able to continue Thanks in any case :)
Here's my Navidrome config. This is running on uCore version of CoreOS, with rootless Podman and SELinux. I made no configuration changes to Podman out-of-the-box, and this is the full compose file.
i have to remap the user namespace
Note: I have not done this. What are you running Podman on? Perhaps there is some config issue with the host, since you're having issues with many containers?
To be fair, maybe just go with docker if it's causing that much pain. But again, mine is working OOTB without making any changes to the Podman setup on ucore, and using the config below.
services:
navidrome:
image: deluan/navidrome:latest
container_name: navidrome
ports:
- "3015:4533"
restart: unless-stopped
environment:
# Optional: put your config options customization here. Examples:
volumes:
- ./data:/data:Z
- ./config.toml:/navidrome.toml:Z
I don't necessarily agree with it, but there's the third option of just disabling SELinux and removing the frustration entirely.
A rootless container is good for security.
A lifetime old basic rule is never run anything as root, not even your podman :)
I only ever use rootless podman jn my system and I fond it pretty easy to actually run: zero effort whatsoever.
Why you say it's complicated?
Yes I always create one unprivileged user (not even in the sudoers or wheel group ofc) for every service I containerize. And create a dedicated network for the service too.
It only takes a few lines in a normal docker compose yaml.
Also I use docker compose on podman, yes docker compose not podman compose.
Edit2: refer to this post of mine on how installed immich on rootless podman https://wiki.gardiol.org/doku.php?id=services%3Aimmich as you can see, the most complex part is... Useradd & mkdir LOL
Edit: also podman play nice with iptables and nft (which should be always preferred nowadays) instead docker can mess your system good, and don't work with nft tables, unless quirks quirks...
Needing to deal with the services for startup for every single compose stack seems like such a pain to me, that's one of the big reasons I haven't switched.
Put them in a pod and it's just systemctl --user start <name>-pod or sudo systemctl start <name>-pod. A pod is basically a compose file, but split across multiple files instead of chunks of yaml.
Nothing stops you to run them all from the same unprivileged user and start them all at once with a single command.
Set once and forget style.
What do you mean by that? Podman compose is a drop-in replacement for Docker compose, and everything is identical other than needing to add :Z to the end of your volume lines.
Maybe one would be sufficient, but for better separation and to have a single startup script for every service I prefer to keep them on different users.
In this way, also the data of each service is created with a different user and cannot be messed up by a rogue service...
And why let that user access root in any way? Even via sudo? No need. No risk.
One service one user. Simple security and separation policy
this post of mine
You have a typo in the title for the section about backups.
In that post you use the compose format. Have you used quadlet? My understanding is that's the "preferred" way to do things, I've also had some issues and am trying to decide if it's worth it. Any thoughts?
I run 50+ containers with rootless Podman compose (on CoreOS) and haven't encountered any unsolvable issues so far.
I've never tried quadlets but haven't found a need or any driving reason to do so.
No, quadlet seems to require systemd and I run OpenRC.
This answers all of your questions: https://github.com/containers/podman/discussions/13728 (link was edited, accidentally linked a redhat blog post that didn’t answer your Q directly but does make clear that specifying a user in rootless podman is important for security for the user running the rootless podman container if that user does more than just run the rootless podman container).
So the best defense plus ease of use is podman root assigning non-root UIDs to the containers. You can do the same with Docker, but Docker with non-root UIDs assigned still caries the risk of the root-level Docker daemon being hacked and exploited. Podman does not have a daemon to be hacked and exploited, meaning root Podman with non-root UIDs assigned has no downsides!
Thanks a lot for on-point answer! I wish the answered in the issue wrote a blog post, it would have been of great help.
I wish too for an in-depth blog post, but the github answer is at least succinct enough
Rootless podman means that it is less likely to bork the system. It is also nice to have per user containers.
Another benefit is that you can run podman in a service user. This makes sandboxing much easier.