Diginext uses Podman & Docker container engine under the hood to build your applications.

Why PODMAN over DOCKER?

For simple installation, we usually want to spin up the build server with Docker / Docker Compose or Kubernetes, this is the concept of Docker-in-Docker.

For your information, Docker Engine requires deamonset to build your image, therefore you need to run the container as root user with privileged mode & also mount /var/run/docker.sock volume into it. And that is a bad idea since it would lead to security risks (if you don't know this, read here).

<aside> 👉 Short explaination The owner of the docker /var/run/docker.sock is root of the host where the container is running, with default group membership to docker group. That's why mounting var/run/docker.sock inside another container gives you root privileges since now you can do anything that a root user with group membership of docker can.

</aside>

On the other hand, Podman is a daemonless container engine for developing, managing, and running OCI Containers. Containers can either be run as root or in rootless mode. Podman also has similar commands with Docker, so it would be simpler to implement into Diginext.

Therefore, I would like to recommend using BUILDER=podman in the environment variables to use Podman as the container builder, instead of docker.

Trade off

There is a bit of a tradeoff when using Podman instead of Docker as a builder - build speed. You will notice a slightly increased build time when using Podman. However, I would accept this rather than face any potential risks in the future.

(…unless you’re totally understand what you’re doing).

Disclaimers

Although I do understand this security issue clearly, after many hours and attempts, I still haven't had any success running the build server with PODMAN on Kubernetes at rootless mode.

<aside> 🔎 This is what I’ve tried: How to use Podman inside of Kubernetes

</aside>

In the current Kubernetes example, I still need priviledged: true is set in the YAML file, but don’t worry, you’re still safe, just don’t remove runAsUser: 1000 setting.

<aside> 👉 Wanna learn more why? Read here.

</aside>

Examples

Server - With Docker Compose

Server - With Kubernetes

Wanna help?

If you have any experience of running rootless Podman on the Kubernetes without priviledged mode, and you want to give me a hand, PRs are truly welcome!