Larvitz  1d ago

Running Podman  in production for years now, and I don't miss the Docker daemon one bit.

I just published a deep dive on managing OCI containers the Unix way: daemonless, rootless, and natively integrated with systemd via Quadlets.

I cover:
- Real secrets management
- Auto-updates via systemd timers
- The Docker compatibility layer

This is the guide I wish I had when making the switch.

Read it here: https://blog.hofstede.it/podman-in-production-quadlets-secrets-auto-updates-and-docker-compatibility/

#Podman #Linux #DevOps #Systemd #Homelab #Sysadmin #Containers

Podman in Production: Quadlets, Secrets, Auto-Updates, and Docker Compatibility

An opinionated production-ops guide to Podman on Linux servers - why I prefer it over Docker, how Quadlets replace Compose files, and practical patterns from real deployments including secrets mana...

Larvitz Blog
Show threadtoniglandyl

@Larvitz Thanks for this great guide! I’m also a heavy user of
podman since years, and it's my number one solution for deploying services.

I had a question about the pod-in-pod deployment of forgejo / traefik,
giving access to the docker.socket allows thoses pods to create pods, but then
it can create privileged pods which mount the root volume of the host, right?
Even with the NoNewPrivileges arg?

Is there a way to control what a pod having access to the docker.socket can
create?

12:40pmWeb