[adgasf]

> Why do you think it's not a good practice?

I didn't say it wasn't. Docker makes sense because everyone uses it.

However, I would prefer a Docker alternative that is purely local and doesn't require so many permissions.

[my123]

podman is one, and it can even work just fine without root permissions.

[MadWombat]

Really? How can it run a web server container, for example, without root permissions? You need root to listen on port 80.

[takeda]

Well, isn't that a specific case though? From my experience most containerized apps use higher port.

In FreeBSD you would be able to also remove such restrictions if needed (not sure if something is also available on Linux) alternatively you could have your app listening on a higher port and use iptables to forward port 80 there.

[MadWombat]

> From my experience most containerized apps use higher port

Most public images I see on Docker Hub run on default ports. Sure, a lot of these are configurable, but then you need to reconfigure all the consumer services to use a non-default port. FreeBSD is not an option, unless you are willing to run on your own hardware. As for iptables, does podman provide network isolation where you can define iptable rules per container? I know it wouldn't work with docker.

[adgasf]

Aren't most people running a load-balancer in front nowadays?

[my123]

Linux namespaces, and then you forward it to a higher port range on the host. (or you can disable that check too)