I use nftables to set my firewall rules. I typically manually configure the rules myself. Recently, I just happened to dump the ruleset, and, much to my surprise, my config was gone, and it was replaced with an enourmous amount of extremely cryptic firewall rules. After a quick examination of the rules, I found that it was Docker that had modified them. And after some brief research, I found a number of open issues, just like this one, of people complaining about this behaviour. I think it’s an enourmous security risk to have Docker silently do this by default.

I have heard that Podman doesn’t suffer from this issue, as it is daemonless. If that is true, I will certainly be switching from Docker to Podman.

  • Link@rentadrunk.org
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    2
    ·
    10 months ago

    Is it? Last time I tried none of my docker compose files would start correctly in podman compose.

    • Molecular0079@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      ·
      10 months ago

      podman-compose is different from docker-compose. It runs your containers in rootless mode. This may break certain containers if configured incorrectly. This is why I suggested podman-docker, which allows podman to emulate docker, and the native docker-compose tool. Then you use sudo docker-compose to run your compose files in rootful mode.

      • warmaster@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        10 months ago

        How is Podman rootful better than Docker? I was mostly attracted by the rootless path, but the breakage deterred me. Would you be so kind to tell me ?

        • Molecular0079@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          It isn’t that much better. I use it as drop-in docker replacement. It’s better integrated with things like cockpit though and the idea is that it’s easier to eventually migrate to rootless if you’re already in the podman ecosystem.

          • warmaster@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            Ok that sounds intetesting, I’ve found Cockpit easier to use than Proxmox, I’m new to virtualization and I don’t want do nesting… I fear it will complicate things when I’ll need to do GPU passthrough.

            How is Podman integrated into Cockpit?

            Also, I had so much trouble trying to bridge my Home Assistant VM to my LAN. Are there any tutorials on how to do this from Cockpit?