I’ve been managing my containers with service filles forever; I’ve just always built them by hand. The ones podman uses to create were screwed up in so many ways.
These look better. I think the autoupdate is something I wouldn’t use; if I do something and something stops working, I know what happened. I reality hate things that mysteriously stop working in the middle of the night.
But the network setting… Now that’s exciting. I’ve been working myself up to tighten stuff down like this, and this looks way easier.
Yup, I expect lots of people feel like that, maybe most (I’d be interested to see some stats). I value security over availability, but you can choose per-container, of course.
network
You can set Internal=true, which I use whenever possible, which means access is only to anything on same network (for me that’s itself and Caddy) - no outgoing connections at all. Podman uses PASTA by default for rootless.
So many updates are not security related, though. The rare security update isn’t worth the frequent outage IMHO.
But you’re right: giving the people that option is a good thing - as long as it’s an option.
You can set Internal=true, which I use whenever possible, which means access is only to anything on same network (for me that’s itself and Caddy) - no outgoing connections at all. Podman uses PASTA by default for rootless.
This is very timely. I have a few VPSes which I’ve locked down to the best of my non-OPs background ability: one gateway exposed to the internet, and the rest completely firewalled off and only accessible over private VPN. What I’ve recently been trying to figure out is how to lock my containers down so they only have access to the host+ports they need to. E.g., caddy is mainly a reverse proxy, except for serving static content from a RO mounted directory, but I’m at my networking knowledge limit on how to keep it from accessing local host ports. Same with the SMTP and IMAP services - SMTP of particularly challenging because I do want it to access the internet, but not access local host ports.
It’s been driving me a little nutty. It looks like this would make all that a lot easier.
True, most updates I don’t actually care about. I haven’t had any updates cause problems yet, but I like that I could choose to not enable updates on anything with a bad history (or critical stuff where I don’t want to run the risk).
I’ve been managing my containers with service filles forever; I’ve just always built them by hand. The ones podman uses to create were screwed up in so many ways.
These look better. I think the autoupdate is something I wouldn’t use; if I do something and something stops working, I know what happened. I reality hate things that mysteriously stop working in the middle of the night.
But the network setting… Now that’s exciting. I’ve been working myself up to tighten stuff down like this, and this looks way easier.
Yup, I expect lots of people feel like that, maybe most (I’d be interested to see some stats). I value security over availability, but you can choose per-container, of course.
You can set
Internal=true, which I use whenever possible, which means access is only to anything on same network (for me that’s itself and Caddy) - no outgoing connections at all. Podman uses PASTA by default for rootless.So many updates are not security related, though. The rare security update isn’t worth the frequent outage IMHO.
But you’re right: giving the people that option is a good thing - as long as it’s an option.
This is very timely. I have a few VPSes which I’ve locked down to the best of my non-OPs background ability: one gateway exposed to the internet, and the rest completely firewalled off and only accessible over private VPN. What I’ve recently been trying to figure out is how to lock my containers down so they only have access to the host+ports they need to. E.g., caddy is mainly a reverse proxy, except for serving static content from a RO mounted directory, but I’m at my networking knowledge limit on how to keep it from accessing local host ports. Same with the SMTP and IMAP services - SMTP of particularly challenging because I do want it to access the internet, but not access local host ports.
It’s been driving me a little nutty. It looks like this would make all that a lot easier.
True, most updates I don’t actually care about. I haven’t had any updates cause problems yet, but I like that I could choose to not enable updates on anything with a bad history (or critical stuff where I don’t want to run the risk).