Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
amelius 7 hours ago

What I hate about docker and other such solutions is that I cannot install it as nonroot user, and that it keeps images between users in a database. I want to move things around using mv and cp, and not have another management layer that I need to be aware of and that can end up in an inconsistent state.

bmitch3020 6 hours ago | parent | next [-]

> What I hate about docker and other such solutions is that I cannot install it as nonroot user

There's a rootless [0] option, but that does require some sysadmin setup on the host to make it possible. That's a Linux kernel limitation on all container tooling, not a limitation of Docker.

> and that it keeps images between users in a database.

Not a traditional database, but content addressable filesystem layers, commonly mounted as an overlay filesystem. Each of those layers are read-only and reusable between multiple images, allowing faster updates (when only a few layers change), and conserving disk space (when multiple images share a common base image).

> I want to move things around using mv and cp, and not have another management layer that I need to be aware of and that can end up in an inconsistent state.

You can mount volumes from the host into a container, though this is often an anti-pattern. What you don't want to do is modify the image layers directly, since they are shared between images. That introduces a lot of security issues.

[0]: https://docs.docker.com/engine/security/rootless/

Alupis 3 hours ago | parent [-]

If I install podman on my Linux machine, it's rootless by default. No fiddling required of me.

Docker could do a lot better job in the packaging of their software. Even major updates require manual uninstalling and reinstalling it... Podman just works.

esafak 7 hours ago | parent | prev | next [-]

https://github.com/containers/podman/blob/main/docs/tutorial...

iberator 7 hours ago | parent [-]

It's hilarious. Your 'solution' to use docker without root is to make some system changes as root and then use/build docker LOL.

embedding-shape 7 hours ago | parent | next [-]

> is to make some system changes as root

Yeah, I mean what do you expect or is the alternative? If you have a process that needs access to something only root typically can do, and the solution been to give that process root so it can do it's job, you usually need root to be able to give that process permission to do that thing without becoming root. Doesn't that make sense? What alternative are you suggesting?

IshKebab 7 hours ago | parent | prev [-]

Uhm no. Podman is a different product that is pretty much a drop-in replacement for Docker but lets you run as non-root.

You have to be root to set it up, but after that you don't need any special privileges. With Docker the only option is to basically give everyone root access.

It's true that it requires root for some setup though. Unclear if op was complaining about that.

cpuguy83 6 hours ago | parent [-]

Docker can run rootless the same way podman does.

FireBeyond 6 hours ago | parent [-]

Now. I was at Red Hat at the time, in the BU that built podman, and Docker was just largely refusing any of Red Hat's patches around rootless operation, and this was one of the top 3, if not the top motivation for Red Hat spinning up podman.

cpuguy83 5 hours ago | parent | next [-]

You'd have to point me to those PR's, I don't recall anything specifically around rootless. I recall a lot of things like a `--systemd` flag to `docker run`, and just general things that reduce container security to make systemd fit in.

IshKebab 5 hours ago | parent | prev [-]

Ah the classic "it's a terrible idea until you implement it elsewhere and show us up".

kccqzy 7 hours ago | parent | prev | next [-]

> I cannot install it as nonroot user

Sure you cannot install docker or podman as a non-root user. But take your argument a bit further: what if the kernel is compiled without cgroups support? Then you will need root to replace the kernel and reboot. The root user can do arbitrarily many things to prevent you from installing any number of software. The root user can prevent you from using arbitrary already installed software. The root user can even prevent you from logging in.

It is astounding to me that someone would complain that a non-root user cannot install software. A much more reasonable complaint is that a non-root user can become root while using docker. This complaint has been resolved by podman.

oarsinsync 6 hours ago | parent [-]

> It is astounding to me that someone would complain that a non-root user cannot install software.

Depends on what you mean by "install software".

If your definition is "put an executable in a directory that is in every other user's standard $PATH", then yes, this is an absurd complaint. Of course only root should be able to do this.

If your definition is "make an executable available to run as my user", then no, this is not absurd. You absolutely should not need root to be able to run software that doesn't require root privileges. If the software requires root, it's either doing something privileged, or it's doing it wrong.

kccqzy 6 hours ago | parent [-]

I don’t think you understood my comment.

> You absolutely should not need root to be able to run software that doesn't require root privileges.

But root can approve or disapprove you running that software. Have you heard of SELinux or AppArmor? The root user can easily and simply preventing you from running an executable even as your own user.

A malware can run as your own user and exfiltrate files you have access to. The malware does not need root privileges. Should root have the capability to prevent the malware from being installed? Regardless of what your definition of “install” is, the answer is unequivocally yes.

tucnak 6 hours ago | parent | prev [-]

If you're not into rootless Docker, but still want to improve sandboxing capabilities, consider alternative runtimes such as runsc (also known as gVisor)

https://gvisor.dev/docs/