Rootless Docker Compose with Podman
30 March 2023
I have to open by acknowledging the proverbial elephant in the room. In Australian slang, Australia being where I'm writing this, root is one of the many (many) euphemisms we have for sex, and it's used much like other equivalent slang terms. As in the insult "get rooted", which means just what you think it might. The teenage boy in me would demand nothing less than full disclosure on this score.
Docker turned openly evil a few weeks ago. More so. They've threatened to delete "unused" containers before, but now it's open source they're targeting. Docker's actions should at the very least mean everybody using containers should be thinking hard about their software supply chains, because some relied upon piece of open source software's likely to no longer be on Docker Hub just when it's needed most. Docker's also fostered some very bad DevOps habits around running containers as root (tee hee). So as often happens, a good story's gone bad.
Both of these problems, of not running containers as root, and of not relying on Docker Hub, could perhaps eventually be solved by using RedHat's Docker alternative Podman, but it's not quite there yet. Podman itself seems OK. In my limited experience of it by itself it works much like Docker does, except that it's also easy to point it at different container repositories. There's the problem of what those repositories will end up being, because I suspect it's likely to mean relying on the good graces of Microsoft & GitHub instead of on Docker, but I didn't get far enough along to worry about that yet. Problems rapidly mounted when I tried to get Docker Compose to talk to Docker as a non root user.
Docker without Docker Compose means a lot of one-off scripting, or worse, cutting & pasting commands. It's not a production ready solution by itself. Podman likewise. People do it, you can do it, but I wouldn't. Docker Compose should be able to talk to Podman over a REST API, but as far as I can tell everything needs to run as root, Docker-style, for that to work. On Debian any way. I haven't tried this on Fedora, perhaps it's possible to make it work there, but the documentation story is, well, almost completely nonexistent, so I don't know.
Because this is obviously a moving feast it's worth pointing out this was with Podman v3.0.1 from Debian 11 Stable, and Docker Compose v2.17.2, which was the latest on GitHub at the time. I tried to build Podman from source to get a more up to date version, but no dice. I also tried to get a more up to date version of Podman out of Debian Testing and Unstable, and that's when bad things happened. Mixing C libraries like a fool, very bad things happened. I broke it. Everything. I saw the Debian sad PC screen. I had to reinstall Linux. Again.
I'm on the Debian Stable train for now, so I'll wait. Once it's all more stable & better documented Podman feels like it's going to be the future. There is a Podman specific version of Docker Compose too, Podman Compose, but I didn't try it. It calls Podman commands directly rather than via the REST interface so maybe that would work. The little I read about it said using it means rewriting Docker Compose files though, and that's not going to happen for me until Docker ramps up its evil game some more. So, some time soon I suppose.