Docker. It’s been around longer, it’s more polished, easier to learn, simpler to use, supported everywhere and by everything, easy to find solutions when you search for help, doesn’t depend on systemd, compatible with every container image out there, and you can do things with it even if it’s not the “correct” way to do it while podman will tell you “no, you can’t do that”.
Don’t overthink this. Just start using something.
This is the best advice. Bloody hard for me to do, however. Not sure why.
definitely docker. it just has so much more documentation and community involvement.
If your distro offers it, rootless podman + podman system service is the best setup, IMO. That will give you a
dockercommand that is 1-to-1 compatible with docker and lets you use tools like docker-compose that expect a docker service socket. Then you can just follow tutorials that only explain things for docker.My only issue with rootless is that SWAG doesn’t work with it, otherwise my other containers could be rootless. However, I heard connecting rootful and rootless containers is impossible so all my containers are rootful right now.
What is rootless bring brought up so much? It’s a container, it’s isolated from the host anyway, what does it matter what user runs inside? And if something breaks into the container they can trash the app in it and the shared volumes anyway, even if they’re not root.
Defense in depth. If something escapes the container it’s limited to only what’s under that user and not the whole system. Having access to the whole system makes it easier for malware to hide/persist itself.
Correct me if I’m wrong but containerization is enforced by the kernel, correct? If something escapes you’re pretty much screwed anyway.
There are many layers involved in preventing escapes from containers.
Way too dependent on the setup, a container with absolutely no outside access theoretically just has the kernel, but usually we want to communicate with our docker images not just run them
Because a container is only as isolated from the host as you want it to be.
Suppose you run a container and mount the entire filesystem into it. If that container is running as root, it can then read and write anything it likes (including password databases and /etc/sudo)
So what? If I mount / in the container and choose to run it as root that’s my business. Why would the containerization engine second-guess what I’m doing?
How would you like it if sudo told you “I can’t let you be root, you could read and write anything you like, including password databases and /etc/sudo”?
Docker if you are unsure how to begin. You can use docker compose with configs you find on the internet.
If your interested in podman I would start by using it though distrobox. Distrobox is a tool that allows other Linux environments on your host system and is really good for development
I started with Docker and then migrated to Podman for the integrated Cockpit dashboard support. All my docker-compose files work transparently on top of rootful Podman so the migration was relatively easy. Things get finicky when you try to go rootless though.
I say try both. Rootful podman is gonna be closest to the Docker experience.
I’d go Docker for the maturity. Podman is nice but I’ve definitely had some issues, and Buildah lacks any sort of caching and does unnecessary intermediate copies of the layers when pushing to a repository that really slows things down on larger apps/images.
I use podman, even when I started out. But I am a tinkerer. I think for the average beginner, docker will be easier as so much out there assumes you are using Docker only, and hard codes it. Unless you wanna deal with that, use Docker.
Podman, rootless containers work well, and there is no central process running everything. I like that starting containers on boot is integrated with systemd.
Docker because it just works. Podman has another 5 years (hopefully) to get this part right IMO.
