It's Making Me REPLACE Docker...

That was awesome, i really enjoyed that and learnt a ton. Keep it up Jim!

Security is worth the effort. Why we have tolerated Docker's security as an afterthought approach for so long is beyond me.
In a follow-up to this video, I'd like to see full hard mode:
Podman in a LXC container under Proxmox with hardware passthrough of a discrete GPU to a Jellyfin Podman container.
Thanks for giving Podman the exposure it deserves.

Awesome! I feel lucky I was recommended your channel. Your videos answered all of the questions I just had.

Excellent info. Thanks for sharing chap!

exactly what I was looking for. Definitely would like to see the pain points of transitioning from Docker to Podman.

I've tinkered with Podman in the past, but this is the first practical transition video I've seen that helps you over those got-ya moments. Definitely going to spin up a VM to try it out. Just from features point of view, Docker having a rival will keep the Docker developers on their toes.

very well done Jim.
I'm defo going to convert to podman. Back in the day when I started out with docker, security was a thing that was bandied about as to its likely use case however as time went on, exposing local ports, resources and of course running as root became issues and you could as easily in my view, end up with a docker service that is configured to be nearly as vulnerable as using a single virtual to host flaky apps.
Glad to have found your channel, the title of this video may have had something to do with its reaching me through the algorithm !

Thanks for the demo and info, Arrgggg now I have to re-think things... have a great day Jim

I use podman on my personal computer running Fedora Kenote. I mamaged to get some workplace projects that were set up with docker-compose on podman just fine.

Keep up the good work Jim! ✊

Hey Jim,
You should try to use Portainer stacks that use the docker-compose plugin, and saves a docker-compose file in Portainer data folder if need it.
I believe this way is no need to install the podman-compose.
Thanks for the video 🤟.

Thanks for the introduction! And how do I get my containers to be restarted after a system reboot?

Nice video. Thanks for sharing.
I am wondering if portainer already deployed with Docker would be able to talk with a portainer agent deployed with Podman or the other way around scenario.

Good video, didn't miss the background distraction sound at all 😳😉 so, what about running GluetunVPN and running other container through the GluetunVPN container?

Can you do a video on gettings nfs volumes to work in this setup? I followed along to test my current setup with docker on podman and everything fails on the nfs volumes I use prodigiously in my docker compose files.

Man I've switched to podman and its security feels in its base state much better..
Are you still running podman in combination with traefik? Im bumping into a issue where podman rootless cant open a port below 1024.
So is there a way to do that or "redirect" port 80/443 inside the vm to the container?

❤️ Podman, it came at the perfect time

Thank you!

regarding the template, I have a debian 12 cloud-init template. but need to "sudo apt install qemu-guest-agent" to be able to shutdown/restart from within proxmox. does ubuntu have it installed as default? or have you installed it in the template and done the machine-id reset stuff (don't remember exactly) ?

Glad I fell for the clickbait: subscribed. :)
I really struggle with time. I struggle to remember stuff. Most people I work with and deal with seem to view complexity as something that doesn't really exist when it's in your head. If it's expressed in written form, it's complicated. If it's to be remembered in your head, it's simple. I'm at odds with the world lol. I struggle with people.
In my day job as a dev I'm tiring my brain with finding solutions with technologies acceptable to the working environment, and dealing with the problem domain of the business. My tooling is centred around Windows, Azure, Visual Studio etc. Little [explicit] containerisation.
At home I also like IT and electronics and use a mix of Linux/windows and generally like "systems".
I started working in IT in 2016 ish, and became a dev a bit later. Been in my current dev role for about 4 years, and the one before that - dunno ... maybe 1.5 years or something, with a gap between.
At home I have little space. Several computers, large datasets and much electronics tooling etc. No money but lots of debt lol. I love data, but can't remember anything. I love stability, but keep experimenting. I want simplicity, but the things I want that better conform to my expectation don't exist or at least aren't commercially available. Building stuff requires free time, headspace, real space etc. that I don't really have and trying to do stuff introduces high levels of instability to my mind and my environment. I live in perpetual conflicting priorities manifest around me and in persistent brain fog from chronic fatigue and overwhelming stimulation.
--
Trying to bring apparent order to chaos obviously invites automation and containerisation etc.
Current problems I face is that LLMs promise so much! It promises to help me stay organised; especially by leveraging RAG with organised documentation I'm trying to build for my overall "state". And then a voice enabled interface etc. with some agency and memory. While I possess a lot of compute, it's distributed and I only have one up-to-date machine with a reasonably powerful GPU (RTX 4070). I can't afford virtualised GPU (locally). My old Xeon machines, albeit armed with plenty of ECC RAM ideal for ZFS etc. are limited in what they can do with transformer based LLMs / ML when CPU bound. I'm hoping to get some old Quadro cards at some point though to help.
I always seem to be in a chicken and egg situation. Especially right now as I'm trying to upgrade a lot of stuff to 10Gb SFP+ based networking and all my datasets to ZFS with either mirroring or n1 or n2 Z-raid sets where possible and even though I'm only really looking at maybe 50TB or so of existing data and a target capacity of around 100TB with two on-prem redundant copies: all this has proved a considerable challenge because of legacy limitations of the equipment I possessed and organic growth unchecked due to lack of time to manage it. I want ZFS (with native encryption that hasn't messed-up for me yet) so that I can stop worrying so much about bit rot of my precious data.
My electronics interest align with battery management / power electronics / power distribution and management etc. and it's hard to work on that in my every-day work space especially when it's for the foundational aspects of managing my systems. I have to mount things on the walls lol. I don't leave the Xeon machines on all the time as they consume electricity like there's no tomorrow.
My two passively cooled Frost Canyon NUCs - I7's each with 64GB RAM, bolted to the wall lol, are great in so many ways ... in fact I run a VM on one for my work environment and it's fast enough for dev work, and I run pfsense on both with failover and syncing etc. but the machines are limited by 1Gb networking. I have USB to 2.5Gb adapters but throughput can be limited if using USB also for multiple disks attached. They only have one Thunderbolt port. Thunderbolt networking works fine in Proxmox and I've used my RTX 4070 initially in a cheap Thunderbolt eGPU dock thing from Ali Express and that worked well ... but with just one Thunderbolt port I can't daisychain between machines, and I can't afford yet a thunderbolt external device with multiple PCIE slots.
My main machine is Proxmox based with Windows as the daily driver VM. I pass the GPU through to that normally. I don't nest WSL with that windows VM. My conceptual approach was for more efficient utilisation of my resources strategically using LXC containers, VMs, and docker etc. Though now I'm presented with architectural compromise e.g. if my GPU is essentially dedicated to my windows VM in practice, then for LLM stuff when I want more oomph I need to have a server running for that on my Windows machine. It's so annoying because Ollama is lovely and runs well in LXC / docker and so on and fits in with my other architecture so well but I'm limited with CPU bound stuff. That's another complexity ... my 13th gen I7 hybrid cores. Proxmox is easier to work through that than VMware but still, it's a lot of faffing about. I try to script everything now - so that I can make that available for RAG also to supplement my fading memory but that requires huge amounts of time. I'm not intuitive in BASH, or Python even. I wish I could do everything in C# lol (half of my day-job). I'm trying to do that with .Net on Linux, but that takes time!
With limited time and knowledge, and surrounded by so much chaos and moving goalposts, it's really hard to balance convenience / getting things done / using limited resource efficiently, and security. There's always compromise and uncomfortable sacrifice.
Much of the time I feel like I'm drowning in chaos.
In my chronic brain fog I often blindly look about, watching CZcams and the like, partly hoping for "simple" solutions that don't require you to be focused on some technology or goal that excludes everything else. I like solutions that I can "containerise" (lol) and adapt to my situation as painlessly as possible.
So when I find videos where people present knowledge and approaches and solutions that I can adapt to my needs, I'm very happy. Thank you.
I want everything. Simple implementation. Sophisticated deployment/implementation potential. Efficient resource use. Self documenting. Convenient. And secure. I'm hard to please lol.

I wanted to make a comment on the security claim as what was said is actually not true.
Yes in general you don't want something to run as root but there is a difference between the daemon that manages the namespaces and the namespaces themselves.
A compromised container CANNOT compromise a host without chaining a namespace vulnerability that can break out of a container.
There was a vulnerability in --userns-remap in which someone needed to intentionally map the container root to host root to be a breakout vulnerability.
Claiming podman is more secure than docker for this reason is like saying debian is more secure when you only login as a non-privileged user.
Technically, it is better practice, but is it more secure overall?
A good sysadmin should be implementing better security instead of the software itself.

how did you solve network naming issue - bridge - wont work nicely with podman and portainer ?

I am VERY new to docker and have zero experience in networking. I tried setting up jellyfin with hardware transcoding on rootlets docker. Didn't work. Had to use docker with root acces. But like i said, im new to to this. And i dont really know anything about user groups. Just wondering if podman would make this easier.

Nice. Might give podman a second chance. Rootless mode works much better under podman

Podman 3.4.4 is ancient and unfortunately Debian based distros don't keep up to date well. I highly suggest deploying a Fedora VM to get the latest version of Podman, 4.7.X I believe, and deploy your container stack using Quadlet. It is simply fantastic!

That is very interesting info, i will think about jumping ship.

How to install and setup proxmox virtual environment?

Podman doesn't work with mount option `Z` on OSX, which makes it impossible to use with ansible-navigator. I've had to go back to docker.

So many troubles to do what docker has out of the box 😀This video proved that docker is more mature product 😁

Can i run podman on my docker machine side by side?

What if I always use docker but as a separate user 'xyz' which doesn't have root privileges? It's simply part of the docker group.

It works with portainer, great!

for more seamless experience, set up an alias docker=podman lol :D

ya does'nt look like its as seemless as you think. I'll stick to docker for now I really dont want to bang my head against config files just to run a container. But competition is good.

If someone in the comments know, you test it this in software development with Macs with the M1/M2 Architecture, because actually i hate a lot the resource use of docker on it.
And tbh i dont want switch if the alternative its worst xD

For demo it's nice etc, but try to run container with unprivileged user, app with unpriv user inside container, mounted volumes and to start it on system boot as service and you will see real podman "beauty".

Podman is slow as compared to Docker. I tried to run express app and it was laggy

Hei Jimbo, got into a bar fight? :)

Podperson or podwoman.
Or podfemme and podhomme.

Please make podman videos

in production is a no choice : just use Podman

Why do you still use apt-get in (almost) 2024? Just use apt, less word better

i hate that i fell for the clickbate

Please...do not say NANO to edit a file...say EDIT a file we all use different editors. For some reason it sets me off a bit, nano just blows as an editor. That did not really mar your beautiful presentation it was a great overview of podman, I am thinking I will be migrating to podman.

your audio is very low, needs help