@bexelbie The secrets (by default) are stored in json files under /var/lib/containers/storage/secrets .. Only protected by the file-system permissions. If you want them to be encrypted at rest, you could use something like OpenBao (OSS fork of Hashicorp Vault)
L
larvitz@burningboard.net
@larvitz@burningboard.net
Indlæg
-
Running Podman in production for years now, and I don't miss the Docker daemon one bit. -
Running Podman in production for years now, and I don't miss the Docker daemon one bit.@svenhennessen awesome! I use it to run production workloads on my linux server (forgejo, Nextcloud, Keycloak etc.). Worked for the last 4 years without any issue.
-
Running Podman in production for years now, and I don't miss the Docker daemon one bit. -
Running Podman in production for years now, and I don't miss the Docker daemon one bit.@Slash909uk I doin't know of any alternatives. Quadlets are transniently transformed into systemd units by a generator. That's all very systemd specific.
FreeBSD's Podman port ships with rc.d service scripts already. You enable them with:
sysrc podman_enable=YES
service podman start
sysrc podman_service_enable=YES
service podman_service startThen, containers started with --restart=always will be automatically restarted after a host reboot. Podman's internal restart logic handles this, with the podman service acting as the supervisor. This is the closest equivalent to what quadlets do on Linux.
-
Running Podman in production for years now, and I don't miss the Docker daemon one bit.@andrew That blog article took me the longest of them all. A first draft had been lingering in my blog's git repo since November last year, and I went through numerous rewrites of various parts until I found them good enough. Today, I added the final paragraph about Ansible and decided to publish it before I end up waiting another 6 months
-
Running Podman in production for years now, and I don't miss the Docker daemon one bit.~/.config/systemd/user/ is for systmd units (podman generate systemd). That was the old way to do it.
~/.config/containers/systemd/ is for Quadlet files, the modern way to describe containers declaratively:
https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
Quadlets files are similar to Systemd units and describe a container with all it's attributes.
-
Running Podman in production for years now, and I don't miss the Docker daemon one bit.@mmu_man Yeah for sure. LXC and Podman are different technologies.
-
Running Podman in production for years now, and I don't miss the Docker daemon one bit.@mmu_man For GUIs, there's Podman Desktop (https://podman-desktop.io) and also the web-based Cockpit Client for Podman (https://github.com/cockpit-project/cockpit-podman)
-
Running Podman in production for years now, and I don't miss the Docker daemon one bit.Running Podman
in production for years now, and I don't miss the Docker daemon one bit.I just published a deep dive on managing OCI containers the Unix way: daemonless, rootless, and natively integrated with systemd via Quadlets.
I cover:
- Real secrets management
- Auto-updates via systemd timers
- The Docker compatibility layerThis is the guide I wish I had when making the switch.
Read it here: https://blog.hofstede.it/podman-in-production-quadlets-secrets-auto-updates-and-docker-compatibility/
#Podman #Linux #DevOps #Systemd #Homelab #Sysadmin #Containers
