apt vs rootless podman

Howto
1

Hello,

today I run syncthing installed via apt.syncthing.net, it works perfectly fine. However, I play with the idea to standardize all my services to rootless podman. I’m interested in your opinions about the pros and cons switching to rootless podman vs continuing to use apt. Is anyone using it already? Are there any pitfalls I need to be aware of? The objective would be to manage it via a quadlet/systemd.

TIA!

2

To be more precise: this is about using/operating syncthing via one of the methods mentioned. It’s not about apt/podman itself.

3

Other than a bit more setup time, once Syncthing is running, the end-user experience for Syncthing isn’t any different compared to running “bare-metal”.

No special configuration is required in Syncthing if using host networking, but a network bridge will require some extra care.

Pros:

  • A little extra security due to Syncthing running inside a container.

Cons:

  • If the Syncthing container is running on a host that is itself a virtual machine, then I’d say that the additional complexity doesn’t improve security much and could even make things worse.
  • Syncthing, as a self-contained executable with minimal external dependencies, doesn’t need many of the features of a container – e.g. Plex has a lot of dependencies so it benefits from having all the required bits and pieces together inside a portable container.
  • A LAMP stack involving multiple servers working together is a great candidate for a container pod, but Syncthing tends to be deployed as a standalone service rather than as part of a bundle of services.

You’re probably already aware that Syncthing can be managed via systemd without Podman’s quadlet.

2 Likes
4

IP discovery might be worse with podman if you don’t use host network mode.

1 Like
5

I’m using both (systemd service / Quadlets), for me it’s worth it when dealing with multiple instances - accessing individual containers over Tailscale is quite easy with pods.

No package manager dependency (avoiding outdated repos) and version pinning can also be useful.

Important notice about GUI Security:

By default Syncthing inside the Docker image listens on 0.0.0.0:8384. This allows GUI connections when running without host network mode. The example above unsets the STGUIADDRESS environment variable to have Syncthing fall back to listening on what has been configured in the configuration file or the GUI settings dialog. By default this is the localhost IP address 127.0.0.1. If you configure your GUI to be externally reachable, make sure you set up authentication and enable TLS.