Hacker News new | ask | show | jobs
by nixcraft 1125 days ago
LXD is a faster tool that offers various configurations, such as allowing an app to run as root even when you're not, and mounting host directories inside containers like Docker/Podman. LXD is also unprivileged by default and uses the same Linux kernel features as other tools. We have different tools available for end users, and I prefer running Docker inside LXD for development purposes because it keeps my $HOME clean. Additionally, tasks like Nvidia GPU (such as ffmpeg, or AI) can also be run inside LXD, providing extra security on my dev box while keeping $HOME clean where you may need to use the `curl ... | sudo bash` syntax when downloading random stuff from the Internet.
1 comments
curt15 1125 days ago
>LXD is also unprivileged by default

The last time I tried it (a few years ago) you needed to either run `lxc` as root or be a member of the `lxd` group which is equivalent to having root privileges. At that time the ability to launch and enter container instances as an unprivileged user (without a root backdoor like the docker or lxd group) was one of Podman's advantages. Have things changed since then?

link
nixcraft 1125 days ago
LXD uses unprivileged containers (user namespace) with the setup done by the root user. All containers run in unprivileged mode by default. However, specific config that only a privileged user can do (mount disks/partitions, setup network devices, allocate more complex mappings for the user namespace etc.) on LXD using the root user or LXD group. Even rootless Podman needs root access in many cases. For example, to open port < 1024, mount EFS/NFS inside; in other edge cases, you can't use rootless Podman. These are Linux kernel limitations last I checked and are sometimes caused by various distros applying other security patches to their kernels too.

LXD supports (all of these have pros and cons, and you must choose one of the type that solves your problem):

1. Privileged containers.

2. Unprivileged containers as an unprivileged user.

3. Unprivileged containers as root.

One frustrating issue is that many developers and IT professionals are reluctant to use Podman due to certain unique situations and edge cases. Docker is more commonly used and tested, making it the preferred option despite Podman's beneficial features.

link