I use nftables to set my firewall rules. I typically manually configure the rules myself. Recently, I just happened to dump the ruleset, and, much to my surprise, my config was gone, and it was replaced with an enourmous amount of extremely cryptic firewall rules. After a quick examination of the rules, I found that it was Docker that had modified them. And after some brief research, I found a number of open issues, just like this one, of people complaining about this behaviour. I think it’s an enourmous security risk to have Docker silently do this by default.

I have heard that Podman doesn’t suffer from this issue, as it is daemonless. If that is true, I will certainly be switching from Docker to Podman.

  • Molecular0079@lemmy.world
    link
    fedilink
    English
    arrow-up
    55
    arrow-down
    1
    ·
    10 months ago

    If you use firewalld, both docker and podman apply rules in a special zone separate from your main one.

    That being said, podman is great. Podman in rootful mode, along with podman-docker and docker-compose, is basically a drop-in replacement for Docker.

    • Dandroid@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      I’m a podman user, but what’s the point of using podman if you are going to use a daemon and run it as root? I like podman so I can specifically avoid those things.

      • Molecular0079@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        I am using it as a migration tool tbh. I am trying to get to rootless, but some of the stuff I host just don’t work well in rootless yet, so I use rootful for those containers. Meanwhile, I am using rootless for dev purposes or when testing out new services that I am unsure about.

        Podman also has good integration into Cockpit, which is nice for monitoring purposes.