A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
What expected problems did podman end up surorising you with? Is the software more stable and not constantly updated like docker? I want to move to podman at some point as well and I understand for a lot of cases it is just "drop in" but I run a lot of containers and I'm skeptical it'll be that simple.
Especially with software distros like home assistant and matrix both explicitly pushing you to official docker due to some features.
I switched at work because of the license changes docker did. I noticed that for my work workflow, podman was a direct remplacement of docker.
For my homelab, I wanted to experiment with rootless and I also prefer to have my services handled by systemd. Also I really like the built-in auto update from podman
The hardest part for me was to switch from docker compose to quadlets, but there is podlet to help with the conversion.
I stayed with podman compose. Do the quadlets specification have an advantage?
i too am on the docker to podman quadlet train! i switched from a ubuntu server running docker to a pretty stock ucore server with podman.
i put all my containers in a podman network. im using nginx proxy manager with inside ports 80, 81, and 443 mapped to 9080, 9081, and 9443 to keep the container rootless. i have the firewall configured witn port forwarding 80, 81, and 443 back to 9080, 9081, and 9443.
ucore is from the universal blue project and based on fedora's coreos, so it comes with firewalld instead of ufw.
I wanted to do something similar. But I grouped some containers using pods and it seems it broke the networking.
Eventually I kept the pods, and exposed everything to the host where caddy can meet the services there. Not the cleanest way, especially as my firewall is turned off.
ah you may need to make sure the pods are added to the network. i specified the network in the .pod quadlet.
im kinda digging the podman network setup as I dont have to map a bunch of port 80s to ports on the host and keep track of them. i can just tell the proxy whatever service is running on http://{container_name}:80. that is, after I found out I needed to make a new podman network because the default "podman" network doesn't do DNS lol.
Does Podman actually open the ports like Docker do? I was of the impression it did not. But it's entirely possible that I might be wrong.
I would be disappointed if it did. I'm moving to Podman as well just because of the firewall issue in Docker.
Edit: After some searching I'm convinced Podman does not mess with the firewall unless instructed to do so. Have you tested that the ports are actually opened up?
I should have clarified this. It does not open the ports, but I have setup my firewall to allow a range of IP and the traffic is still blocked.
I have noticed some inconsistency in the behavior, where the traffic would sometimes work upon ufw activation but never work upon reboot. Knowing how docker works, I thought podman would also mess with the firewall. But maybe the issue comes from something else.
I think you have an X/Y problem.
Rootless podman requires no special firewall management. Like docker, you mearly expose you want in the container, and if you want those ports accessible outside the machine, the firewall has to allow access - just like any other program.
How is your podman configured? To use pasta, or slirp4netns? I often have trouble with pasta - I merely haven't spent the time to figure out the details of using it - so I always just switch (back) to slirp4netns, which was the original network tool. Do this in /etc/containers/containers.conf, or dig into pasta and see if there's something in there. The pasta package is actually called "passt."
Did you set up subuid and subgid correctly?
Did you confirm you can access your services locally?
If you are using slirp4netns and have your account configured in subuid and subgid, then rootless podman should function as any other networking program, and you shouldn't have any firewall issues.
As an aside, and just my humble opinion, I really hate firewalld. It makes firewall configurations complex and byzantine, and almost impossible to work with with other tools like nft. I'm sure it is great for some people, but anytime you add more complexity to a configuration, you add more opportunity for something to be incorrectly configured. I hate fighting with it, and have had times where I struggled to get it to open a port: I was in the wrong "zone", or was in persistent mode rather than runtime mode, or whatever. It's just unnecessary added complexity, and lately if the distro installs it I just uninstall it first thing and use nft.
If you followed the rootless podman wiki and everything else looks good, I'd look suspiciously at firewalld.
Yes maybe, I will edit my post to better explain the issue I’m facing.
I’m using pasta. I can see some weird, for instance some services can access other through host.containers.internal and for others, I have to use 192.168.1.x
That does sound like it's something else.
May I ask what services you're running, and to see your Quadlet files? I'm about to make the same move.
Mainly Immich, paperless and jellyfin
Fedora server has cockpit preinstalled. That's what I use. With cockpit it's very easy to adjust the firewall.
It's not a direct solution to your problem but may show you what else is possible