In case you haven't started yet. Learn docker, but use podman.
this post was submitted on 22 Mar 2024
66 points (100.0% liked)
Selfhosted
46677 readers
318 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
OP, listen to this person. Docker will earn you cash. Podman is nicer to work with for your own shit.
load more comments
(1 replies)
As a podman user myself, they're essentially the same. I look at the docker documentation when learning new things about podman. 99.9% of the time, it's exactly the same. For the features that aren't in podman, you can use the podman-docker package. This gets you a daemon so you can have some docker-specific features such as a container being able to start/stop other containers by mounting the socket as a volume, and it allows you to use docker-compose.
Docker is more ubiquitous, Podman has use cases that diverge from Docker.
Discover the use case and decide from there.
That said docker is a good starting point, their documentation is pretty great and once you know docker you’ll better appreciate why podman is different.
It's easier to start with docker first simply because of the sheer amount of learning resources available on the internet. If you're having issues, you can usually find a solution quickly with a search engine.
That's being said, there's not much differences on how to use them these days. You can even run docker compose on podman.
I've read somewhere on lemmy that the podman-compose is unmaintained and shouldn't be used. Can't find it now thought.
Yes because it now uses docker-compose by default: https://docs.podman.io/en/latest/markdown/podman-compose.1.html
load more comments
(1 replies)
You didn't say what's your goal. What do you want to achieve? For instance, if you work in IT you should probably learn Docker unless Podman is more relevant in your actual daily tasks.
My goal is selfhosting stuff mainly on my raspberry pi. I'm sure I'm not going to work in IT for 3 years and probably not for at least few years after that.
Then just go for Docker. Otherwise you may make it unnecessarily difficult for yourself and get discouraged. In a few years you may revisit the question and see if you still have an interest in podman.
Honestly, if you have never used containers before I would suggest starting with docker as it has more readily accessible beginner walk through and tutorials. From there, you will have a good idea as to switching to podman is the right move for you or not.
Personally, I started with docker and haven’t moved from there since I don’t see a need (yet). I have dozens of services running on docker. I don’t know how heavy of a lift it would be to learn podman but like I said, I don’t feel the need to do so.
Maybe try out both and see which one you like more?
Just to offer the other perspective. I started with podman years ago. I knew very little about containers and I would say it made the learbing curve a lot steeper. Most guides and README's use docker and when things didnt work I had to figure out if it was networking, selinux, rootless, not having the docker daemon, etc... without understanding fully what those things were because I didn't know docker. But when I started running stuff on kubernetes, it was really easy. Pods in podman are isomorphic to kubernetes pods. I think the pain was worth it, but it was definitely not easy at the time. Documentation, guides, and networking have improved since then, so it may not be as big of a deal now
load more comments
(1 replies)
They're pretty much the same. Use docker documentation for learning, but actually use podman, because it's nicer to use (doesn't require root, easier to install on many Linux distributions).
I tried out podman at first, but I found many docker instances simply provide a string of crap instead of explanations. It was easy to get a grasp of how docker worked, and now that I have an idea I feel like I could jump into podman better.
Here goes my experience.
When I started the self hosted trip, I was against containers and tried to avoid them at all costs. Then I learned about containers, and now I still am against containers but less vividly so. I have used them and still use them.
Containers are good for the self hoster because they deliver fast deploy and easy testing of lots of services quickly. They are good for developers because they can provide one common installation approach that reduces greatly user issues and support requests.
But containers also have downsides as well. First of all they make the user dumber. Instead of learning something new, you blindly "compose pull & up" your way. Easy, but it's dumbifier and that's not a good thing. Second, there is a dangerous trend where projects only release containers, and that's bad for freedom of choice (bare metal install, as complex as it might be, need to always be possible) and while I am aware that you can download an image and extract the files inside, that's more an hack than a solution. Third, with containers you are forced to use whatever deployment the devs have chosen for you. Maybe I don't want 10 postgres instances one for each service, or maybe I already have my nginx reverse proxy or so. I have seen projects release different composer files for different scenarios, but at that point I would prefer to deploy on bare metal.
Said so, containers are not avoidable today, so study and embrace them, you will not be disappointed as its a cool piece of tech. But please stay clear of docker and go podman instead. Podman doesn't rely on a potentially insecure socket and does not require an always running daemon. Podman also by default doesn't force you to run services as root which you should never do. Also, networking feels clearer on podman and podman feels more .modern by using nft instead of iptables. Yes most of this can be fixed on docker, but since podman is a drop in replacement, why bother? Also, podman is truly open source while docker, shockingly, its not.
Here is my wiki page on the subject: https://wiki.gardiol.org/doku.php?id=gentoo:containers feel free to read it.
One last thought: updating containers should not be taken lightly. Its so easy and fast that you might be tempted to setup cron jobs or install watchtower, but you will end sooner or later with a broken service and lost data. So backup, always backup, and keep updating with rationale.
Tldr: containers are unavoidable today and are a cool piece of tech worth investigating. Don't blindly use them as there are security issues involved, and I hope the trend of making containers the only way doesn't take hold, because containers also make self hosters dumber and that's not good.
First of all they make the user dumber. Instead of learning something new, you blindly “compose pull & up” your way. Easy, but it’s dumbifier and that’s not a good thing
I don't like this Docker trend because, besides what you've said, it 1) leads you towards a dependence on property repositories and 2) robs you from the experience of learning Linux (more later on) but I it does lower the bar to newcomers and let's you setup something really fast. In my opinion you should be very skeptical about everything that is "sold to the masses", just go with a simple Debian system (command line only) SSH into it and install what you really need, take your time to learn Linux and whatnot.
there is a dangerous trend where projects only release containers, and that’s bad for freedom of choice (bare metal install, as complex as it might be, need to always be possible) and while I am aware that you can download an image and extract the files inside, that’s more an hack than a solution
And the second danger there is that when developers don't have to consider the setup of a their solution the code tends to be worse. Why bother with having single binaries, stuff that is easy to understand and properly document things when you can just pull 100 dependencies and compose files? :) This is the unfortunate reality of modern software.
Third, with containers you are forced to use whatever deployment the devs have chosen for you. Maybe I don’t want 10 postgres instances one for each service, or maybe I already have my nginx reverse proxy or so
See? Poorly written software. Not designed to be sane and reasonable and integrate with existing stuff.
But be aware that containers are not the solution to selfhosting-made-easy and, specifically, containers havebeen created to solve different issues than self-hosting!
Your article said it all and is very well written. Let me expand a bit into the "different issues":
The thing with Docker is that people don’t want to learn how to use Linux and are buying into an overhyped solution that makes their life easier without understanding the long term consequences. Most of the pro-Docker arguments go around security, reproducibility and that’s mostly BS because 1) systemd can provide as much isolation a docker containers and 2) there are other container solutions and nobody cares about them.
Companies such as Microsoft and GitHub are all about re-creating and re-configuring the way people develop software so everyone will be hostage of their platforms - that's why nowadays everything and everyone is pushing for Docker/DockerHub/Kubernetes, GitHub actions and whatnot. We now have a generation that doesn’t understand the basic of their tech stack, about networking, about DNS, about how to deploy a simple thing into a server that doesn’t use some Docker BS or isn’t a 3rd party cloud xyz deploy-from-github service.
Before anyone comments that Docker isn’t totally proprietary and there’s Podman consider the following: It doesn’t really matter if there are truly open-source and open ecosystems of containerization technologies. In the end people/companies will pick the proprietary / closed option just because “it’s easier to use” or some other specific thing that will be good on the short term and very bad on the long term.
Docker may make development and deployment very easy and lowered the bar for newcomers have the dark side of being designed to reconfigure and envelope the way development gets done so someone can profit from it. That is sad and above all set dangerous precedents and creates generations of engineers and developers that don’t have truly open tools like we did. There’s LOT of money into transitioning everyone to the “deploy-from-github-to-cloud-x-with-hooks” model so those companies will keep pushing for it.
At the end of the day technologies like Docker are about commoditizing development and about creating a negative feedback loop around it that never ends. Yes, I say commoditizing development because if you look at it those techs only make it easier for the entry level developer and companies instead of hiring developers for their knowledge and ability to develop they’re just hiring “cheap monkeys” that are able to configure those technologies and cloud platforms to deliver something.
Successful cloud companies are not longer about selling infrastructure, we're past that - the profit is now in transforming developer knowledge into products/services that can be bought with a click.
There is a lot of truth in your words.
Unfortunately, things will not change.
At least let's use podman and I will keep fighting for containers being at least optional.
At least let’s use podman and I will keep fighting for containers being at least optional.
Well, systemd can also provide as much isolation and security. It's another option... :) as well as LXC.
load more comments
(4 replies)
load more comments
(3 replies)
Both. They're pretty damn similar.
Podman only if you really care about using FOSS, having first-class rootless mode, and don't mind the hassle of scarce learning resource and tutorials on all Podman features that are different from docker.
Otherwise docker.
if you havent started: none
use nixOS.
I'm huge fan of Nix, but for someone wondering if they should "learn docker" Nix is absolutely brutal.
Also IMO while there's some overlap, one is not a complete replacement for the other. I use both in combination frequently.
load more comments
(1 replies)
Docker, there are more resources for it and once you know it Podman should be an easy migration if you want to. Also I'm not sure about your claim that Podman is more FOSS than docker, it's "better" because it doesn't run as root, but other than that I don't know of any advantages to it that are not a derivation of "it runs as a regular user".
Also I’m not sure about your claim that Podman is more FOSS than docker
The issue with Docker isn't the core product itself, is the ecosystem, it's the DockerHub, Kubernetes etc.
load more comments
(4 replies)
On the same machine I have Docker running as root and not as root. I choose which version, root-ful/root-less depending on what the container needs to do.
I think the only advantage is that Podman runs as root-less out of the box, where with Docker you have to do a few extra steps once it's installed.
load more comments
(1 replies)
Both. Start with docker as there's a buttload of tutorials. Once you're familiar with it jump to podman. Learn the differences, use both for a while and decide what suits you best.
Yes
Doesn't really matter for basic stuff as it will be the same.
Once you get into container orchestration the differences start and then you basically need to decide what you want to get out of it.
They're very similar so you pretty much can't go wrong. Podman, I believe, is more secure by default (or aims to be) so might run into more roadblocks with its use.
load more comments
(1 replies)
Still haven't looked into podman properly, but docker is much easier to learn because as you said there's a lot more material available online. I'd say start with Docker, and if in the future you will find out podman better fits your needs you can always switch (they should not be that different)
Docker and docker-compose. Then learn podman after you have some experience, if you want to...
Or jump into kubernetes (or minikube) instead of podman if you want to do highly useful things.
But first, get comfortable building images with a Dockerfile, and then running them in a meaningful way, and networking them, and locking them down.
No
Do you selfhost stuff on bare metal? I feel like most projects provide containers as their officially supported packages.
No, I use an operating system.
Not sure why all the down votes without any explanation.
I too don't use docker for my services. I run Plex on my Arch install via the provided AUR package. 🤷♂️ Nobody told me I needed to do otherwise, with docker or anything else. Not sure why that would be better in any way. It could hardly be more performant? And it's as simple as enabling the service and forgetting about it.
Maybe they're having issues with his answer of "using an OS" which implies other people are not? IDK.
But as to you if you're running just one or two services from a machine you also use for other stuff using packages and systems services is perfectly fine. If you have dedicated hardware for it (or plan on having it), it starts to make sense to look at ways of making things easier for yourself in the long run. Docker solves lots of issues no one's talking about (because no one is facing them anymore), e.g.:
- Different services requiring different versions of the same library/database/etc
- Moving your service from one computer to another
- Service requiring specific steps for updates (this is not entirely gone, but it's much better and it's prevents you from breaking your services by doing a random operation like updating your system)
- Pinning versions of services until you decide to update without needing to sacrifice system updates for it (I know you can pin a version of a package, but if you don't upgrade it it will break when you upgrade it's dependencies)
- Easily map ports or block access in a generic way, no need to discover how each service config file allows that, you can just do it at the container level. e.g. databases that can't be accessed from the network or even from within the host machine (I mean, they can obviously be accessed from the host system, just not in the traditional way, so a user who gains access to your machine on a user that's not allowed to use docker can't)
- Isolation between services
- Isolation from host machine
- Reproducibility of services (i.e. one small docker compose file guarantees a reproducible host of services)
- Endurance that no service is running as root (even if they only work as root)
- Spin services in minutes to test stuff up and clean them out thoroughly in seconds.
There's probably many more reasons to use docker. Plus once you've learned it it's very easy for small self-hosted stuff so there's really no reason not to use it. Every time I see someone saying they don't use docker and don't understand why people use it I'm a bit baffled, it's like someone claiming he doesn't understand why people use knifes to cut bread when the two-handed axe he uses for chopping wood works (like, yes, it does work, but it's obviously not the best tool for the job)
Are you aware that all those isolation, networking, firewall etc. issues can be solved by simply learning how to write proper systemd units for your services. Start by reading this: https://www.redhat.com/sysadmin/mastering-systemd
Yes I'm aware of that, having written several systemd units for my own services in the past. But you're not likely to get any of that by default when you just install from the package manager as it's the discussion here, and most people will just use the default systemd unit provided, and in the vast majority of cases they don't provide the same level of isolation the default docker compose file does.
We're talking about ease of setting things up, anything you can do in docker you can do without, it's just a matter of how easy it is to get good standards. A similar argument to what you made would be that you can also install multiple versions of databases directly on your OS.
For example I'm 99% sure the person I replied to has this file for service:
[Unit]
Description=Plex Media Server
After=network.target network-online.target
[Service]
# In this file, set LANG and LC_ALL to en_US.UTF-8 on non-English systems to avoid mystery crashes.
EnvironmentFile=/etc/conf.d/plexmediaserver
ExecStart=/usr/lib/plexmediaserver/Plex\x20Media\x20Server
SyslogIdentifier=plexmediaserver
Type=simple
User=plex
Group=plex
Restart=on-failure
RestartSec=5
StartLimitInterval=60s
StartLimitBurst=3
[Install]
WantedBy=multi-user.target
Some good user isolation, but almost nothing else, and I doubt that someone who argued that installing from the package manager is easier will run systemctl edit on what he just installed to add extra security features.
load more comments
(10 replies)
load more comments
(2 replies)
People love to hate on people who don't care for containers.
Also, I'm guessing that nobody here actually knows what it means to run code on bare metal.
What you're doing is fine. No need to make life harder for yourself.
People love to hate on people who don't care for containers.
Maybe so. 😕
what it means to run code on bare metal
I'm guessing it means something slightly different than what most people think, namely to just run it in the OS. Would you explain to me what it really means?
load more comments
(3 replies)
They're being useless, but what I do is use Proxmox and just install my stuff each in their own LXC
load more comments
(3 replies)
I use distro packages. In the rare case something isn’t packaged yet, I package it myself. And for the isolation, systemd services can do most of the things docker can if you need (check systemd-analyze security).
For just hosting services that can be done instead with normal system services, docker makes your setup a lot more complex (especially on the networking side), for little if any gain. Unless I need to spin up something multiple times temporarily on demand or something has a hard dependency on it, I’m not going to bother with it anymore.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| DNS | Domain Name Service/System |
| Git | Popular version control system, primarily for code |
| HTTP | Hypertext Transfer Protocol, the Web |
| LXC | Linux Containers |
| Plex | Brand of media server package |
| SSH | Secure Shell for remote terminal access |
| nginx | Popular HTTP server |
[Thread #623 for this sub, first seen 23rd Mar 2024, 07:55] [FAQ] [Full list] [Contact] [Source code]
not having to change habits later.
If everybody thought like this, we would still be banging rocks together.
I am not sure about your use case, but IMO learning Docker first would be a good default. It is more wide-spread than podman. If you want (or need) to, moving on to podman would probably not be too big a step.
load more comments
(3 replies)
This is a bit of a Pokemon starter question. Just pick one and see where it takes you! They do roughly the same job, especially now that docker has a rootless mode. At the end of the day you're learning a new technology and that's a positive thing.
Learn Docker first, it will be faster and easier. It will both give you an intro to containers and you'll get some practical use for your self hosting needs.
If you're still curious later you can go deeper into Podman and other container technology.
view more: next ›