Alex Kretzschmar

You've got to do this user ID shuffle because the user IDs inside the container don't map to the IDs on the host properly, unless you do this shift.

And so it ends up being this world of complicated UID script shuffling nonsense that I just haven't got time for.

Well, I'll break it down as best I can, just really simply.

So in a rootless Podband container,

you end up shifting the user IDs by roughly 100,000 or so.

It depends on how you've got it configured.

So on your host, you would probably have a user ID of something like 1,000.

Inside the container, it would be the user ID 100,000 and 1,000.

So like 101,000.

So you've got to find a way to map those IDs from what the container sees to what the host can speak so that the file permissions for those bind mount volumes actually work.

And that whole mess, the fact I've just had to explain that to you is exactly my point.

Yes, I'm feeling your point.

With the daemon that Docker has running as root, yes, there are some security implications with that, but also comes simplicity for the user experience.

Right.

Yeah.

There's some other interesting stuff that Podman does as well.

They have this thing called the quadlets.

I don't know if you've heard of Podman quadlets.

It's a bit of a silly name.

But essentially, they're systemd units that let you run your Podman containers as systemd units instead of using something like Docker Compose to define the state of the world that that container would see.