undefined | Better HN

0 points2OEH8eoCRo01y ago0 comments

That's my take as well. Red Hat's design choices fit into Linux much more neatly. Docker has always been rubbish with late cgroups v2 support, punching holes in my firewall, no rootless, etc.

0 comments

mmh00001y ago

> punching holes in my firewall

I teach various Linux training courses. One of which is Containers. It always shocks several people per-class how Docker just blatantly ignores and rewrites existing firewall rules. And there's no real option to prevent that unless you want to manually configure ALL network routing.

For me personally, that was one of the big issues the pushed me over to Podman.

Also, Docker's insistence on "forcing" and preventing the disabling of using the malware-ridden Docker Hub didn't help me appreciate their security practices.[]

[]

https://jfrog.com/blog/attacks-on-docker-with-millions-of-ma...

https://www.infosecurity-magazine.com/news/malicious-contain...

https://www.bleepingcomputer.com/news/security/millions-of-d...

https://www.bleepingcomputer.com/news/security/docker-hub-re...

https://sysdig.com/blog/analysis-of-supply-chain-attacks-thr...

... ETC ...

hughesjj1y ago

I want to switch to podman. What are the general gotchas and difficulties you could see in doing that for multi architecture+os builds/deployments?

xelamonster1y ago

You might just be convincing me to switch, I generally love docker and compose but the firewall thing still blows my mind and that there still just is not a solution.

My workaround has been to bind all docker port forwards to localhost and only ever expose them externally via reverse proxy. Which is annoying because that means I can't run the reverse proxy itself in docker.

justinclift1y ago

> It always shocks several people per-class how Docker just blatantly ignores and rewrites existing firewall rules.

Yeah. Many times I've mentioned that to people, and they just don't believe it's a thing which Docker does. Including here on HN. :/

j / k navigate · click thread line to collapse