[thiht]

I tried Podman on 2 MacBook Pros: my personal one (Intel) and my work one (M1) and it basically doesn’t work well at all.

Podman Desktop simply doesn’t work, on first run it loops forever on initializing stuff (I guess it tries to create the Podman machine but fails? No idea because it doesn’t say what’s wrong, nor where to look). So I tried Podman bare without Podman desktop and it’s not a lot better, the machine starts fine and I can run containers, but every time my computer wakes up from hibernate, the containers and the machine are stuck. I have to recreate the whole Podman machine from scratch.

I loved the idea of rootless but it doesn’t work on Mac. And I won’t believe I’m the only person having the exact same set of issues on 2 different MacBooks

[heywoodlh]

These types of papercuts (see other comments on how podman-compose and any sort of custom networking have issues, too) are why I have mostly avoided Podman so far. I find myself just using Docker rootless on Linux workstations and the Docker Engine on servers. On MacOS, I use Colima and it has worked well for me.

> I loved the idea of rootless but it doesn't work on Mac

One clarification I think is worth making in case you weren't aware is that the "rootless" approach isn't really a factor for any Linux container runtime on MacOS since all the container solutions on MacOS run in a VM (since Linux containers rely on Linux kernel features). I.E. Docker Desktop, Podman Desktop, etc. can't run as root on MacOS because they rely on a user-level Linux VM.

[thiht]

Thanks for the clarification!

Maybe I’m using the wrong term, but when installing Docker, you need root access, and not for Podman. Maybe I’m wrong but I don’t think it’s possible to install Docker if you’re not root on the machine?

[heywoodlh]

https://docs.docker.com/desktop/mac/permission-requirements/

This link breaks down what permissions are used on MacOS.

> Maybe I’m using the wrong term

Typically, the meaningful piece with "rootless" Docker is that the daemon is not running as root.

When the Docker daemon is running as root on a Linux server, for example, anyone who can access the daemon (i.e. anyone in the "docker" group) has enough access to the system can do catastrophic damage with the access they have. For example, the docker daemon can mount any file on the host's filesystem (i.e. "-v /etc/shadow:/tmp/shadow"). With Docker running as root, anyone with access to the Docker daemon has the power to do almost anything to the system.

With rootless Docker, that issue is mitigated heavily because the Docker context is restricted to an unprivileged user context.

> but when installing Docker, you need root access, and not for Podman

According to Podman Desktop's docs, it asks for admin permission when installing on MacOS: https://podman-desktop.io/docs/Installation/macos-install

That being said, I don't personally see any security value added or removed by an installer process needing to elevate privileges. That's a one-time thing and likely should require admin privileges.

[thiht]

> That being said, I don't personally see any security value added or removed by an installer process needing to elevate privileges. That's a one-time thing and likely should require admin privileges

Where I worked before we didn’t have root access on our laptops, so we couldn’t install Docker.

I’ve switched company since, but my former coworkers were able to install Podman (not Podman Desktop) without root access.

[heywoodlh]

Ah, I see. So not really container runtime security, more operational/principle of least privilege. Had not accounted for that, I can definitely see how that would be useful.

Although, I would say we have definitely strayed far away from the typical definition/security benefits of "rootless" container runtimes. Usually the rootless container threat model accounts for containers or access to the runtime being weaponized -- it's not usually IT preventing you from installing apps. :)

Still, thanks for indulging this conversation.

(Also, I thought the only way to run Podman containers locally on MacOS was Podman Desktop -- has that changed recently?)

[LightFog]

You are not - it is basically non-functional on Mac. I try to stick with it but the reliability of Podman Desktop on Mac is awful - it can’t be doing RedHat’s brand any good releasing and promoting something so poor.