Iβm moving to a new machine soon and want to re-evaluate some security practices while Iβm doing it. My current server is debian with all apps containerized in docker with root. Iβd like to harden some stuff, especially vaultwarden but Iβm concerned about transitioning to podman while using complex docker setups like nextcloud-aio. Do you have experience hardening your containers by switching? Is it worth it? How long is a piece of string?
I started with rootless podman when I set up All My Things, and I have never had an issue with either maintaining or running it. Most Docker instructions are transposable, except that podman doesnβt assume everything lives as dockerhub and you always have to specify the host. Iβve run into a couple of edge cases where arguments are not 1:1 and Iβve had to dig to figure out what the argument is on podman. I donβt know if Iβm actually more secure, but I feel more secure, and I really like not having the docker service running as root in the background. All in all, I think my experience with rootless podman has been better than my experience with docker, but at this point, Iβve had far more experience with podman.
Podman-compose gives me indigestion, but docker-compose didnβt exist or wasnβt yet common back when I used docker; and by the time I was setting up a homelab, Iβd already settled on podman. So I just donβt use it most of the time, and wire things up by hand when necessary. Again, I donβt know whether thatβs just me, or if podman-compose is more flaky than docker-compose. Podman-compose is certainly much younger and less battle-tested. So is podman but, as I said, Iβve been happy with it.
I really like running containers as separate users without that daemon - I canβt even remember what about the daemon was causing me grief; I think it may have been the fact that it was always running and consuming resources, even when I wasnβt running a container, which isnβt a consideration for a homelab. However, Iβd rather deeply know one tool than kind of know two that do the same thing, and since I run containers in several different situations, using podman everywhere allows me to exploit the intimacy I wouldnβt have if I were using docker in some places and podman in others.
2Β’
I make extensive use of compose in my own server so Iβm assuming Iβll need to transition to systemd confs. Do you run those or do you run everything by podman CLI?
Yeah, I use systemd for the self-host stuff, but you should be able to use docker-compose files with podman-compose with no, or only minor, changes. Theoretically. If youβre comfortable with compose, you may have more luck. I didnβt have a lot of experience with docker-compose, and so when thereβs hiccups I tend to just give up and do it manually, because it works just fine that way, too, and itβs easier (for me).
