@@Max-xp3tf no that literally gives everyone in the docker group full root access
2 ปีที่แล้ว +1
Securing a Docker is not big deal, you just have to use a namespace (so Docker is not runned by root anymore) + docker group for your user + read only containers + unknow users on runtime (not root even in the container)
I recently tried to play around with podman to see if it is an alternative to docker. The installation on Windows WSL2 is way more cumbersome than docker. The installation of docker in combination with WSL2 is lately really smooth. But once I had it running I reached the next hurdle. The official alternative to docker-compose is podman play kube, which requires a way more complicated yml file. Especially if you look how short and simple my docker-compose yml file, which I used for the test, was. I think I will stick with docker for now.
I come from linux environment (dualboot), but in my experience podman does everything that docker does and more. There is a podman daemon that works just like docker daemon that exposes the same API and is compatible with docker-compose. You can enable it just like the docker service. You can also use podman-compose if you don't want to deal with the deamon.
Thank you for this video. It helped me not only to understand Podman better, but also to realize my mistake in thinking that Podman and Portainer are overlapping technologies when, in fact, they are orthogonal to each other.
I have just switched to Fedora Server, it ships with Cockpit and setting up Podman is a couple of clicks (one click if you dont count the 'enable' slider!), and it looks like a streamlined way of installing/using containers. Also of note the server software update process can also update podman and all associated containers automatically, so no need for Watchtower (?)
Well, in the Red Hat world docker is already replaced with podman since RHEL/CentOS 8 ;) even k8s deprecated docker, it is dying because of bad business decisions and not listening to the community what Red Hat did. I do not miss Docker for sure, all hail podman :D v3 will fully support docker-compose with no hassle.
the redhat guys wanted to replace docker because there is a daemon running in the background? boy :D you made my day ;) ..well in the end it is the same like privileged containers within LXC. I never used docker honestly since there was never a need to, but knowing they run as root.. to me, that is a big no-no.. it is imo less a problem that users who need to tinker with docker around have root privileges, it moreover is the problem that flaws in the container are running as root in your whole system hence downloading a bad image or having problems in your apps which runs inside the docker could harm your entire system
Well. It would help if the devs of docker images would stop using the root user for the processes. Like on a bare matel machine nginx does not need root privs to run its services. There are existing solutions to securely open a priviledged port. But same as you I currently run docker as podman has some rather annoying complications with mounted volumes and their access rights on the filesystem level. It was too much of a headache for me to setup for a small personal project. Instead I check the containers and whereever possible I run them with the --user command or modify the container and build it myself to drop root privs. I also only grant access to the docker socket through a TCP proxy in read only mode to other containers. That excludes the usage of portainer for me but I can live with that limitation.
Kubernetes depreciation shouldn't be the reason for anyone switching away from docker. The reason why Kubernetes deprecated docker was they didn't want to maintain dockershim, a shim that connects the Kubernetes and docker worlds. We can still use docker for building containers, local testing etc., but i get Podman is gaining ground over docker these days. The more tooling we get around Podman the easier it will be for people to adopt and move away from docker one day.
I'm probably going to stick to Docker until something other than Podman comes along. Not saying that Docker doesn't have bugs and what not however when looking at the amount of bugs with Podman still going on + new reports I'm sticking with Docker. Security issues will most def catch up with Podman. It is possible to run Docker rootless, even if it's an annoying process. Podman's website is not even being updated anymore? It just doesn't feel like something to hang on to. For any IT professionals it's also worth learning how to harden Docker even if it's in your homelab, rather than switching to something that is not industry standard.
If running an application securely requires extra work, you can practically expect a data breach at some point More complexity = more hidden security issues The "industry standard" Log4j should have woken people up, but it seems it didn't
So if podman and docker follow the same standardized format - does that mean you could just run existing docker containers in podman without too much hassle?
Does anyone here face error when try to make checkpoint of an image, especially using Debian 11/12? The error is about CRIU. Have installed CRIU but the problem still remain. But on Fedora everything works just fine. Thank you
It seems the Docker universe has many tools to manage deploy and run docker containers. Knowing more of them means more ability to pick the right tools for the job. I am training myself on Docker and more server type stuff. I like that Linux desktops still have access to their server roots. I too prefer LTS Ubuntu releases, but the new XFCE 4.16 in 21.04 means I may jump ship. ?The fractional scaling of the desktop may save my old eyes. If Podman and other goodies come with it, so much the better. Thanks and god bless you all
I use Rootless Docker, and I am evaluating Podman. That is why I watched this video. I don't think you demonstrated what features are lost when using Podman. I'll watch your other videos to see if they do a better job. A proper comparison would be between Rootless Docker and Podman. Comparing Rootfull Docker to Podman is like the old saying goes, "apples to oranges."
Hey bro what are docker containers and what is its actual use in real time where and when it it used. I don't have exp in develops, programming or databases
This video explains the difference between virtual machines and containers, and you'll also find links to my other tutorials about docker, I hope this helps! th-cam.com/video/RAaU-Q5LN9s/w-d-xo.html
I would like to state a few things that i feel are not right in the video. However I haven't tried podman in a while but it's not correct to say that podman doesn't have a Daemon, it does, it's called systemd, some could argue that's better than having a dedicated Daemon but I am not sure about that. Podman in itself doesn't have the same capabilities as docker so it shouldn't be compared like to like. Podman follows the same principles of RHEL or typically Linux folks, which is one tool to do one job, docker is a massive application, as an e.g. podman doesn't build images, that is buildah, it might come with some basic functionality of buildah included but is not podman that is doing it, because of all this that's why podman is not really a replacement for docker in terms of local development or local environment. In addition to this today nothing stops you to run docker containers without root or in rootless mode, that has been improved massively on docker
Tbh i tried to switch from docker to podman but for some reason it never fully worked for me the way i expected so until podman becomes drop in replacement for docker i cannot switch to it.
There's some implementation like docker compose to podman? And podman open ports automagically like docker do?(going through firewall) For example, when i use docker in a server using ufw, docker open this container ports to world, podman does the same thing?
Hey, a Question please! I think when you add an user to docker-group, then he has just the privileges to run docker commands without sudo, but will not be a root user!
On Dockers official homepage they have a section where they warn about doing this, because giving someone docker group is like giving someone root access.
No Kubernetes has it's on runtime environment, not based on docker or podman. But it's nice as podman also has a concept of running pods like in kubernetes. It won't hurt you to take a look at ;)
Podman does not need the daemon. for example if you type "docker build" the context directory is archived and sent as tarball to the daemon. In podman it just calls buildah directly no tarball archive/unarchive. Same when you run, pull etc. If you type podman run then ps you won't see any daemon. The socket in podman is used by mac users to run a client in their ide and pass the command to the podman in the vm.
An example from the top of my head. One time I was running docker pull or docker build and for some glitch in my network the daemon crash. The price of that crash should have been failure to build or to pull but it was the entire daemon crashed and all of the precious running container died.
Yeah you can just learn Podman and then later try out Docker. Podman is very similar and the container technology is exactly the same, just the runtime implementation is different.
was mich aber richtig verwirrt ist: wenn ich ein rootcontainer erstelle (vom host mit sudo nicht als root im container), dann taucht der nicht in podman desktop auf. das ist einfach mega verwirrend. ich verstehe auch noch nicht wie man resourcen sharen kann. man kann zwar gemeinsame volume erstellen, aber was ist wenn ich zb. ein bild das ich im virtuellen ram speichere (tmpfs) an einen anderen container senden will: muss ich dann nginx benutzen, oder docker compose?
I created a new video on how to use Podman, Podman-Compose, and Manage it with Cockpit! Check it out: th-cam.com/video/-hJosY_M0I4/w-d-xo.html
The root permissions issues with docker drives me crazy. I'm going to try podman just because of that.
if you're running it on Linux, you can just run -> sudo usermod -aG docker $USER
and then logout and login again. ^^
@@Max-xp3tf the user can read the files who has the owner root from inside the container
@@Max-xp3tf no that literally gives everyone in the docker group full root access
Securing a Docker is not big deal, you just have to use a namespace (so Docker is not runned by root anymore) + docker group for your user + read only containers + unknow users on runtime (not root even in the container)
I'd heard of Podman before, but never paid attention to it. Great explanation!! Thanks for sharing :)
Thanks bro 😀
I recently tried to play around with podman to see if it is an alternative to docker. The installation on Windows WSL2 is way more cumbersome than docker. The installation of docker in combination with WSL2 is lately really smooth. But once I had it running I reached the next hurdle. The official alternative to docker-compose is podman play kube, which requires a way more complicated yml file. Especially if you look how short and simple my docker-compose yml file, which I used for the test, was. I think I will stick with docker for now.
100% agree with you!
I come from linux environment (dualboot), but in my experience podman does everything that docker does and more. There is a podman daemon that works just like docker daemon that exposes the same API and is compatible with docker-compose. You can enable it just like the docker service. You can also use podman-compose if you don't want to deal with the deamon.
Thank you for this video. It helped me not only to understand Podman better, but also to realize my mistake in thinking that Podman and Portainer are overlapping technologies when, in fact, they are orthogonal to each other.
Thank you! Glad it helped :)
I have just switched to Fedora Server, it ships with Cockpit and setting up Podman is a couple of clicks (one click if you dont count the 'enable' slider!), and it looks like a streamlined way of installing/using containers. Also of note the server software update process can also update podman and all associated containers automatically, so no need for Watchtower (?)
Sounds pretty cool! I need to look more into RHEL based distros for sure...
Well, in the Red Hat world docker is already replaced with podman since RHEL/CentOS 8 ;) even k8s deprecated docker, it is dying because of bad business decisions and not listening to the community what Red Hat did. I do not miss Docker for sure, all hail podman :D v3 will fully support docker-compose with no hassle.
Yea I think docker will become less important especially in large environments, in some it's already out.
Today I heard that Docker is making companies with a lot of users or makes a lot of money to pay the subscription for Docker Desktop.
Seems like you guys were right, lol
Podman is not only the default for Red Hat 8/CentOS 8 but you will have to go through lengths to get docker-ce working.
Red hat ain't done till docker won't run
Fantastic point of view about Podman. Congrats!!!!
Thank you
Ty man good video
Thanks man 😊
The biggest security concerns one should know is permission grants even if docker is rootless or podman is rootless
the redhat guys wanted to replace docker because there is a daemon running in the background? boy :D you made my day ;) ..well in the end it is the same like privileged containers within LXC. I never used docker honestly since there was never a need to, but knowing they run as root.. to me, that is a big no-no.. it is imo less a problem that users who need to tinker with docker around have root privileges, it moreover is the problem that flaws in the container are running as root in your whole system hence downloading a bad image or having problems in your apps which runs inside the docker could harm your entire system
Yeah thats right. I think we have big problems with security in docker images, but Docker seems to be still the most common way to run them.
Yeah... and now show the shared volume mounting for the rootless container. :)
Is there problems with it?
It depends, if you wish to work in the industry mainly enterprise, stick with docker since thats being used, and i don't expect companies to switch.
+1
Well. It would help if the devs of docker images would stop using the root user for the processes. Like on a bare matel machine nginx does not need root privs to run its services. There are existing solutions to securely open a priviledged port.
But same as you I currently run docker as podman has some rather annoying complications with mounted volumes and their access rights on the filesystem level. It was too much of a headache for me to setup for a small personal project.
Instead I check the containers and whereever possible I run them with the --user command or modify the container and build it myself to drop root privs. I also only grant access to the docker socket through a TCP proxy in read only mode to other containers. That excludes the usage of portainer for me but I can live with that limitation.
I still like docker too.
2 years later, tried again podman, podman-compose, podman desktop, went back to docker desktop almost immediately, again.
Sad that there still don’t exist many tools for podman
I subscribed. Excellent video. I've been looking for a docker alternative since Kubernetes deprecated docker.
Thank you! 🥰
Kubernetes depreciation shouldn't be the reason for anyone switching away from docker. The reason why Kubernetes deprecated docker was they didn't want to maintain dockershim, a shim that connects the Kubernetes and docker worlds. We can still use docker for building containers, local testing etc., but i get Podman is gaining ground over docker these days. The more tooling we get around Podman the easier it will be for people to adopt and move away from docker one day.
I very much liked this particular content. Thought a lot about docker vs. Podman. And came to the exact same decission as you.
Thanks, good to see I'm not the only one 😄
Great explanation. Subscribed.
Awesome, thank you!
good stuff thank You for explanation. Just started learning docker and someone pointed me to podman so I might as well just flip now.... :P
Cool, thank you! :)
Thanks a lot mate. Im a new fan of your videos and content. Superb work!!
Thank you and welcome aboard!
thank you, exactly what i was looking for
You are welcome!
podman is default in cockpit for Redhat 8.
I beleive Rancher with Podman solves the problem of lacking some extra features of portainer😎
I'm probably going to stick to Docker until something other than Podman comes along. Not saying that Docker doesn't have bugs and what not however when looking at the amount of bugs with Podman still going on + new reports I'm sticking with Docker. Security issues will most def catch up with Podman. It is possible to run Docker rootless, even if it's an annoying process.
Podman's website is not even being updated anymore? It just doesn't feel like something to hang on to.
For any IT professionals it's also worth learning how to harden Docker even if it's in your homelab, rather than switching to something that is not industry standard.
Yeah I stick to Docker, too. Interesting though, I guess podman is being used in the Red Hat world a lot, Openshift, etc.
If running an application securely requires extra work, you can practically expect a data breach at some point
More complexity = more hidden security issues
The "industry standard" Log4j should have woken people up, but it seems it didn't
So if podman and docker follow the same standardized format - does that mean you could just run existing docker containers in podman without too much hassle?
Yes. Both use the Open Container Image format under the hood and are therefore compatible with images built by the other.
haha, Hello from Docker :D
yeah, dockerd is now the most troublesome part on my project. All other parts will work just fine, it is always some error thrown by dockerd.
podman looks promising, but is there a podman version of docker-compose?
I think there are some projects like podman-compose on github, didn't test it, yet though.
Thats the first question i thought about aswell :D Did you already looked it up @Synthetase2 ?
Excellent video most helpful
Goodbye docker !!
Thanks 😊
I broke docker so badly on my mac, it was easier to migrate to using podman than it was to install docker again
Does anyone here face error when try to make checkpoint of an image, especially using Debian 11/12? The error is about CRIU. Have installed CRIU but the problem still remain. But on Fedora everything works just fine. Thank you
this video is about to blow up
Think Podman is going to get much more attention, since Docker is enforcing their paid licensing from 31 Jan 22
Hmm I guess you're right! This video got many views since that time :D
It seems the Docker universe has many tools to manage deploy and run docker containers. Knowing more of them means more ability to pick the right tools for the job. I am training myself on Docker and more server type stuff. I like that Linux desktops still have access to their server roots. I too prefer LTS Ubuntu releases, but the new XFCE 4.16 in 21.04 means I may jump ship. ?The fractional scaling of the desktop may save my old eyes. If Podman and other goodies come with it, so much the better. Thanks and god bless you all
Thank you! Awesome feedback :)
I use Rootless Docker, and I am evaluating Podman. That is why I watched this video. I don't think you demonstrated what features are lost when using Podman. I'll watch your other videos to see if they do a better job. A proper comparison would be between Rootless Docker and Podman. Comparing Rootfull Docker to Podman is like the old saying goes, "apples to oranges."
Hey bro what are docker containers and what is its actual use in real time where and when it it used. I don't have exp in develops, programming or databases
You are in luck, there is a great video on that topic on the channel
@@AnteZivkovic Hey thanks for the reply can you share the link please
@@roya2045 no
This video explains the difference between virtual machines and containers, and you'll also find links to my other tutorials about docker, I hope this helps!
th-cam.com/video/RAaU-Q5LN9s/w-d-xo.html
I hate such stupid question that are made just to pass some interviews. Go to the ffffffff docker homepage and start read for god sake
I would like to state a few things that i feel are not right in the video. However I haven't tried podman in a while but it's not correct to say that podman doesn't have a Daemon, it does, it's called systemd, some could argue that's better than having a dedicated Daemon but I am not sure about that. Podman in itself doesn't have the same capabilities as docker so it shouldn't be compared like to like. Podman follows the same principles of RHEL or typically Linux folks, which is one tool to do one job, docker is a massive application, as an e.g. podman doesn't build images, that is buildah, it might come with some basic functionality of buildah included but is not podman that is doing it, because of all this that's why podman is not really a replacement for docker in terms of local development or local environment. In addition to this today nothing stops you to run docker containers without root or in rootless mode, that has been improved massively on docker
Tbh i tried to switch from docker to podman but for some reason it never fully worked for me the way i expected so until podman becomes drop in replacement for docker i cannot switch to it.
I don't know what exactly didn't work for you, but podman is very similar to docker
what's wrong with runAsUser: 1000 in k8s manifest?
k8s is not docker
There's some implementation like docker compose to podman? And podman open ports automagically like docker do?(going through firewall) For example, when i use docker in a server using ufw, docker open this container ports to world, podman does the same thing?
There is podman-compose, regarding the ufw, I have no idea
Will podman ps show containers run by docker and vice versa?
Good question, haven't tried that
@@christianlempa Don't. Not working. Podman launch it's own instance of VM machine.
Nice content, thank you :)
Glad you liked it!
Can I use it for windows, if not kindly suggest me the tool which help me to contanirize my application
Containers also work on Windows but I havent done it
Switching container technology or forced change through dropped support gets old.
is there any performance improvement when using podman compared to docker?
I'm not sure but I don't think there is a significant improvement in performance
Make a video on Youki
Hey, a Question please!
I think when you add an user to docker-group, then he has just the privileges to run docker commands without sudo,
but will not be a root user!
On Dockers official homepage they have a section where they warn about doing this, because giving someone docker group is like giving someone root access.
Really nice video, but I have a question. Can you use Podman in combination with Kubernetes?
No Kubernetes has it's on runtime environment, not based on docker or podman. But it's nice as podman also has a concept of running pods like in kubernetes. It won't hurt you to take a look at ;)
There is actually a deamon included with podman that is not enabled by default. It has the same API (albeit it's unix socket, not tcp).
Podman does not need the daemon. for example if you type "docker build" the context directory is archived and sent as tarball to the daemon. In podman it just calls buildah directly no tarball archive/unarchive. Same when you run, pull etc.
If you type podman run then ps you won't see any daemon.
The socket in podman is used by mac users to run a client in their ide and pass the command to the podman in the vm.
An example from the top of my head. One time I was running docker pull or docker build and for some glitch in my network the daemon crash. The price of that crash should have been failure to build or to pull but it was the entire daemon crashed and all of the precious running container died.
Can I learn Podman before docker, or I must learn docker 1st then podman?
Yeah you can just learn Podman and then later try out Docker. Podman is very similar and the container technology is exactly the same, just the runtime implementation is different.
@@christianlempa thanks bro, will do!
1:18 communicating with a daemon that is running in the background, sounds a bit satanic
Podman is better, point blank.
please say the words: "we have ways of making you talk"
First
was mich aber richtig verwirrt ist: wenn ich ein rootcontainer erstelle (vom host mit sudo nicht als root im container), dann taucht der nicht in podman desktop auf. das ist einfach mega verwirrend. ich verstehe auch noch nicht wie man resourcen sharen kann. man kann zwar gemeinsame volume erstellen, aber was ist wenn ich zb. ein bild das ich im virtuellen ram speichere (tmpfs) an einen anderen container senden will: muss ich dann nginx benutzen, oder docker compose?
What about docker.sock:ro is that ”secure” ?