You must log in or register to comment.
Docker. It’s been around longer, it’s more polished, easier to learn, simpler to use, supported everywhere and by everything, easy to find solutions when you search for help, doesn’t depend on systemd, compatible with every container image out there, and you can do things with it even if it’s not the “correct” way to do it while podman will tell you “no, you can’t do that”.
Don’t overthink this. Just start using something.
I’d go Docker for the maturity. Podman is nice but I’ve definitely had some issues, and Buildah lacks any sort of caching and does unnecessary intermediate copies of the layers when pushing to a repository that really slows things down on larger apps/images.
If your distro offers it, rootless podman + podman system service is the best setup, IMO. That will give you a
dockercommand that is 1-to-1 compatible with docker and lets you use tools like docker-compose that expect a docker service socket. Then you can just follow tutorials that only explain things for docker.will it let you do rootless nfs mounts into the container? That’s the showstopper for me, as that is by far the best way to just make this all work within the context of my file storage.
What is rootless bring brought up so much? It’s a container, it’s isolated from the host anyway, what does it matter what user runs inside? And if something breaks into the container they can trash the app in it and the shared volumes anyway, even if they’re not root.
Defense in depth. If something escapes the container it’s limited to only what’s under that user and not the whole system. Having access to the whole system makes it easier for malware to hide/persist itself.
Correct me if I’m wrong but containerization is enforced by the kernel, correct? If something escapes you’re pretty much screwed anyway.
There are many layers involved in preventing escapes from containers.
