I've been running a few containers for several years. They were all running under rootless Docker with a single user. Initially, I planned to migrate the containers to VMs , but I couldn't get a stable workflow after about two months of effort. Later, gVisor caught my attention , and I decided to migrate to Podman with gVisor instead. The new plan is to run each container with --userns=auto and use Quadlet for systemd integration. This approach provides better isolation and makes writing firewall rules easier. I'm now close to migrating all my containers. Here are a couple of rough edges I'd like to share. Network Layout I compared various networking options and spent a few hours trying the one-interface-per-group approach before giving up. I settled on a single macvlan network and decided to use static IP addresses for my containers. To prevent a randomly assigned IP address from conflicting with a predefined one, I allocated a large IP range for my ...
久病成医 | Prolonged Illness Makes the Patient a Good Doctor