Running Podman in production for years now, and I don't miss the Docker daemon one bit.
-
@Larvitz Thank you. I might have to dig a bit further into this.
-
Running Podman
in production for years now, and I don't miss the Docker daemon one bit.I just published a deep dive on managing OCI containers the Unix way: daemonless, rootless, and natively integrated with systemd via Quadlets.
I cover:
- Real secrets management
- Auto-updates via systemd timers
- The Docker compatibility layerThis is the guide I wish I had when making the switch.
Read it here: https://blog.hofstede.it/podman-in-production-quadlets-secrets-auto-updates-and-docker-compatibility/
#Podman #Linux #DevOps #Systemd #Homelab #Sysadmin #Containers
@Larvitz nice!
I am halfway with podman; still have compose files launched from systemd units that I write myself - they are all basically identical except the home directory setting
I deliberately use compose start only, not run. I do not want restarts to be messing about pulling new images when I dont expect it!
Is there an equivalent to quadlets for alternative init tools? I would not want to lock myself into systemd right now
seriousky looking at BSD. -
@Larvitz nice!
I am halfway with podman; still have compose files launched from systemd units that I write myself - they are all basically identical except the home directory setting
I deliberately use compose start only, not run. I do not want restarts to be messing about pulling new images when I dont expect it!
Is there an equivalent to quadlets for alternative init tools? I would not want to lock myself into systemd right now
seriousky looking at BSD.@Slash909uk I doin't know of any alternatives. Quadlets are transniently transformed into systemd units by a generator. That's all very systemd specific.
FreeBSD's Podman port ships with rc.d service scripts already. You enable them with:
sysrc podman_enable=YES
service podman start
sysrc podman_service_enable=YES
service podman_service startThen, containers started with --restart=always will be automatically restarted after a host reboot. Podman's internal restart logic handles this, with the podman service acting as the supervisor. This is the closest equivalent to what quadlets do on Linux.
-
@Slash909uk I doin't know of any alternatives. Quadlets are transniently transformed into systemd units by a generator. That's all very systemd specific.
FreeBSD's Podman port ships with rc.d service scripts already. You enable them with:
sysrc podman_enable=YES
service podman start
sysrc podman_service_enable=YES
service podman_service startThen, containers started with --restart=always will be automatically restarted after a host reboot. Podman's internal restart logic handles this, with the podman service acting as the supervisor. This is the closest equivalent to what quadlets do on Linux.
@Larvitz thanks, good to know there is BSD support already
-
Running Podman
in production for years now, and I don't miss the Docker daemon one bit.I just published a deep dive on managing OCI containers the Unix way: daemonless, rootless, and natively integrated with systemd via Quadlets.
I cover:
- Real secrets management
- Auto-updates via systemd timers
- The Docker compatibility layerThis is the guide I wish I had when making the switch.
Read it here: https://blog.hofstede.it/podman-in-production-quadlets-secrets-auto-updates-and-docker-compatibility/
#Podman #Linux #DevOps #Systemd #Homelab #Sysadmin #Containers
@Larvitz Thanks for this great guide! I’m also a heavy user of
podman since years, and it's my number one solution for deploying services.I had a question about the pod-in-pod deployment of forgejo / traefik,
giving access to the docker.socket allows thoses pods to create pods, but then
it can create privileged pods which mount the root volume of the host, right?
Even with the NoNewPrivileges arg?Is there a way to control what a pod having access to the docker.socket can
create? -
@Larvitz thanks, good to know there is BSD support already
-
Running Podman
in production for years now, and I don't miss the Docker daemon one bit.I just published a deep dive on managing OCI containers the Unix way: daemonless, rootless, and natively integrated with systemd via Quadlets.
I cover:
- Real secrets management
- Auto-updates via systemd timers
- The Docker compatibility layerThis is the guide I wish I had when making the switch.
Read it here: https://blog.hofstede.it/podman-in-production-quadlets-secrets-auto-updates-and-docker-compatibility/
#Podman #Linux #DevOps #Systemd #Homelab #Sysadmin #Containers
@Larvitz thanks. I never took the time to explore Podman, I think I will do it in close future thanks to your nice article
-
Running Podman
in production for years now, and I don't miss the Docker daemon one bit.I just published a deep dive on managing OCI containers the Unix way: daemonless, rootless, and natively integrated with systemd via Quadlets.
I cover:
- Real secrets management
- Auto-updates via systemd timers
- The Docker compatibility layerThis is the guide I wish I had when making the switch.
Read it here: https://blog.hofstede.it/podman-in-production-quadlets-secrets-auto-updates-and-docker-compatibility/
#Podman #Linux #DevOps #Systemd #Homelab #Sysadmin #Containers
@Larvitz We are using podman for a year now as a local Docker replacement for developing distributed apps (.NET, Postgres, MSSQL, Kafka, etc.) on MacOS/Windows. The early quirks are gone, several months now without an issue.
-
@Larvitz We are using podman for a year now as a local Docker replacement for developing distributed apps (.NET, Postgres, MSSQL, Kafka, etc.) on MacOS/Windows. The early quirks are gone, several months now without an issue.
@svenhennessen awesome! I use it to run production workloads on my linux server (forgejo, Nextcloud, Keycloak etc.). Worked for the last 4 years without any issue.
-
Running Podman
in production for years now, and I don't miss the Docker daemon one bit.I just published a deep dive on managing OCI containers the Unix way: daemonless, rootless, and natively integrated with systemd via Quadlets.
I cover:
- Real secrets management
- Auto-updates via systemd timers
- The Docker compatibility layerThis is the guide I wish I had when making the switch.
Read it here: https://blog.hofstede.it/podman-in-production-quadlets-secrets-auto-updates-and-docker-compatibility/
#Podman #Linux #DevOps #Systemd #Homelab #Sysadmin #Containers
@Larvitz I use podman for all my unorchestrated containers. Love it. How we I’ve stayed away from podman secrets as they used to be written to disk in plaintext. Did that get fixed?
-
@Larvitz I use podman for all my unorchestrated containers. Love it. How we I’ve stayed away from podman secrets as they used to be written to disk in plaintext. Did that get fixed?
@bexelbie The secrets (by default) are stored in json files under /var/lib/containers/storage/secrets .. Only protected by the file-system permissions. If you want them to be encrypted at rest, you could use something like OpenBao (OSS fork of Hashicorp Vault)
-
Running Podman
in production for years now, and I don't miss the Docker daemon one bit.I just published a deep dive on managing OCI containers the Unix way: daemonless, rootless, and natively integrated with systemd via Quadlets.
I cover:
- Real secrets management
- Auto-updates via systemd timers
- The Docker compatibility layerThis is the guide I wish I had when making the switch.
Read it here: https://blog.hofstede.it/podman-in-production-quadlets-secrets-auto-updates-and-docker-compatibility/
#Podman #Linux #DevOps #Systemd #Homelab #Sysadmin #Containers
@Larvitz I have been running podman in production for years as well and I must say what an excellent documentation that is. I didn't know about quadlets but I will integrate it into my Ansible workflow for sure.
-
Running Podman
in production for years now, and I don't miss the Docker daemon one bit.I just published a deep dive on managing OCI containers the Unix way: daemonless, rootless, and natively integrated with systemd via Quadlets.
I cover:
- Real secrets management
- Auto-updates via systemd timers
- The Docker compatibility layerThis is the guide I wish I had when making the switch.
Read it here: https://blog.hofstede.it/podman-in-production-quadlets-secrets-auto-updates-and-docker-compatibility/
#Podman #Linux #DevOps #Systemd #Homelab #Sysadmin #Containers
@Larvitz great guide! I am not buying the recommendation on using Docker Desktop on Mac though. I have been using Podman Desktop for the last year and I just think it's great. I really have no reason to go back to Docker for this.
-
Running Podman
in production for years now, and I don't miss the Docker daemon one bit.I just published a deep dive on managing OCI containers the Unix way: daemonless, rootless, and natively integrated with systemd via Quadlets.
I cover:
- Real secrets management
- Auto-updates via systemd timers
- The Docker compatibility layerThis is the guide I wish I had when making the switch.
Read it here: https://blog.hofstede.it/podman-in-production-quadlets-secrets-auto-updates-and-docker-compatibility/
#Podman #Linux #DevOps #Systemd #Homelab #Sysadmin #Containers
@Larvitz hi! Thanks for sharing. FYI in your article you use '’' (U+2019 "Right Single Quotation Mark") for apostrophes in e.g. »isn’t« and this confuses my screenreader (thankfully I am sighted).
