zlacker

>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

>>smarx0+P4
And this was one of the reason why I switched to Podman. I haven't looked back since.

>>anthro+x6
I want to use Podman but I keep reading the team feels podman-compose to be some crappy workaround they don’t really want to keep.

This is daunting because:

Take 50 random popular open source self-hostable solutions and the instructions are invariably: normal bare installation or docker compose.

So what’s the ideal setup when using podman? Use compose anyway and hope it won’t be deprecated, or use SystemD as Podman suggests as a replacement for Compose?

>>MortyW+xa
podman rootless running services with quadlet is not a bad start.

>>somebe+Va
Is there a tool/tutorial that assumes that I already have a running docker compose setup instead of starting with some toy examples? Basically, I am totally excited about using systemd that I already have on my system instead of adding a new daemon/orchestrator but I feel that the gap between quadlet 101 and migrating quite a complex docker compose YAML to podman/quadlet is quite large.

>>smarx0+Hd
Search for podlet. It lets you do what you want.

>>anthro+ij2
WOW, thank you!