Rootless Docker in a multi-user environment (opens in new tab)

I've used rootless podman for development for several months now.

I had a few issues in the beginning, but in the end the solutions were rather trivial. I had to:

- Delete config files from previous podman versions (pre 4)

- Enable the docker socket (for my user)

- Use docker compose 2 rather than "podman compose" or an older docker compose (shipped with the distro)

We mostly use docker-compose files for our dev setups, so I can't say if I'd run into issues with more elaborate setups. But I must say that it works extremely well for me.

You are absolutely right.

However, if your company has already highly invested into using Docker, the fact of something working OOTB in any other piece of software doesn't convince to make a decision to switch.

On top of that, our DevOps team is pretty happy with Docker :)

Possibly, the web server was down due to a large number of requests. I have a lot of stuff on the server running in containers, but limited my httpd instance to 1 CPU core and 1 GB of RAM. Better upgrade it, I guess.

Not docker specific, but there are still lots and lots of servers out there running multiple services. Especially in my home-lab! Each service runs under a service-specific user, sometimes with extra hardening applied by systemd. It's a tried-and-true method for gaining some semblance of security boundaries on a shared server without the additional administration overhead of kubernetes or similar.

A more relevant use case to industry might be a CI machine that you want to get better utilization out of. Easy, just start of multiple CI runners under different users. "Just use Kubernetes" I hear someone screaming? Well, sometimes you need CI on macOS.

I run a multi-user Linux server. It's IBM POWER9 hardware and several of my friends in the open-source community who care about testing on something other than x86, or who are interested in different architectures or playing with its unique capabilities such as quad-precision floating point implemented in the hardware appreciate having shell access to it.

Let's say you have some centralized monitoring of various host metrics. The ingestion process needs some amount of privileged access. But you don't want to give it full root. Meanwhile, your actual service probably needs no privileged access, save for some secrets which should also be inaccessible for the monitoring agent process. You may want to run both of these as containers.

I guess you may be using SELinux but even so, users and groups are natural parts of expressing and enforcing such constraints.

>> Why would those be multi user? For prod, why isnt it cattle where you don't ever SSH onto the server?

I hate the cattle not pets analogy, do you know how well taken care of most cattle are?

If your operating at google/fb/apple scale then yes you can have this approach. There are lots of business that DON't need, want or have to scale to this level. There are lots of systems where this approach breaks down.

Docker is great if you're deploying some sort of mess of software. Your average node/python/ruby setup with its run time and packages + custom code makes sense to get shoved into a container and deployed. Docker turns these sorts of deployments into App Store like experiences.

It doesn't mean is the only, or a good approach... if your dev env looks like your production env, if your deploying binaries then pushing out as a c-group or even an old school "user" is not only viable it has a lot less complexity.

As a bonus you can SSH in, you have all the tools available on a machine, you can tweak a box to add in perf/monitoring/debug/testing tools on there to get to the source of those "it only happens here" bugs...

Aren't most HPC clusters multiuser?

We have over a dozen of production servers. Both our DevOps engineers and developers have access to these servers in case something needs to be fixed or configured.

Shared webhosting is still done with multi users.

If it works as I understood, in this setup I can see an advantage at an architectural level: in Podman containers images are stored on a per-user basis, while in this setup they would be shared between users, thus using much less disk space (if using the same base images). Besides this, I actually have the same question.

What do you mean by "adding rootless"?

The docker daemon is running as root in that scenario. So anyone in the Docker group can trivially become root by starting a privileged container.

Oh man, Singularity… I once wrote: “In the shipping container analogy, you can think about Singularty containers as if they have no walls.” [1]

[1] https://sarusso.github.io/blog/container-engines-runtimes-or...

At the risk of showcasing my bubble: Lack of exposure; how many people even know what singularity is or how to use it? I know it's used in scientific HPC, but I don't see evidence of wider adoption.

I think it is a few things together. The rootless and daemonless design leads to UX differences with Docker. Because of the differences, it isn't just a drop in replacement; porting applications can be a pain if they do anything weird (no network isolation, --containall isn't default and still is a bit different when on, etc). And Docker has a ton of momentum and usage.