• 2 Posts
  • 30 Comments
Joined 1 year ago
cake
Cake day: July 1st, 2023

help-circle








  • There’s real usability benefits too. I’ve collected some anecdotes from Reddit:

    Rootless podman is my first choice for using containers now, it works fantastically well in my experience. It’s so much nicer to have all my container related stuff like volumes, configs, the control socket, etc. in my home directory and standard user paths vs. scattered all over the system. Permission issues with bind mounts just totally disappear when you go rootless. It’s so much easier and better than the root privileged daemon.

    and,

    If you are on Linux, there is the fantastic podman option “–userns keep-id” which will make sure the uid inside+the container is the same as your current user uid.+

    and,

    Yeah in my experience with rootless you don’t need to worry about UID shenanigans anymore. Containers can do stuff as root (from their perspective at least) all they want but any files you bind mount into the container are still just owned/modified by your user account on the host system (not a root user bleeding through from the container).

    finally,

    The permissions (rwx) don’t change, but the uid/gid is mapped. E.g. uid 0 is the running user outside the container, by uid 1 will be mapped to 100000 (configurable), and say 5000 inside the container is mapped to 105000. I don’t remember the exact mapping but it works roughly like that.



  • Hmm, well Fedora on its own (so no Silverblue) is very much your classic way of shipping a distro. That tends to mean that, over time, “cruft” accumulates as you upgrade your system, uninstall/reinstall packages, etc. They leave bits of themselves behind that can cause unwanted behavior.

    Fedora Silverblue, that Bluefin is based on, treats the entire system layer as “immutable”. Basically, it ensures consistency so that upgrades and package upgrades don’t leave the system in an inconsistent state.

    What Bluefin adds on top of this is a set of opinionated, pre-configured layers suited for getting particular groups of tasks done. Those layers are also immutable and tested as a whole, which makes shipping those layers at velocity easy (faster upgrades, less wonky behavior on upgrade) and easy to swap between, so you can go from gaming to developer mode without worrying about an accumulation of cruft.

    Is that helpful at all? There’s also this announcement blog post, which I found very helpful in understanding the value proposition.


  • Because it uses OCI images, it auto-updates like a Chromebook, and you can switch between modes, like say a gaming mode that’s a full SteamOS replacement, to a mode that gives you an entire development environment without needing to install and configure these layers or stacks of capabilities yourself.

    That’s very powerful. For cloud native developers like myself who are used to working with container images as the deliverable artifact, this makes that workflow very easy. Podman is included. You can create entire development environments at will that are totally “pure”: no side effects because everything you need is in the container. That’s a Dev Container.




  • For what it’s worth, I just wrote up a compose.yaml file as I’d write it for Docker Compose and it just worked. See the bottom of my comment on this GitHub issue for an example. I think the team’s intention is for it to transparently support whatever you’d write for a standard Compose file but of course we don’t have things like the brand new Docker watch. They do point to the Compose spec in the Podman Compose README. Bind mounts are good enough for me, thus far.