There has been some discussion on lifting this restriction and allowing the docker
interface to be provided by the system snap (i.e. core
or snapd
snaps), which would allow using non-snap versions of docker. See Request for "classic" confinement for package Wilfred - #27 by jdstrand
Does podman also listen on the docker socket at the normal location? If so, then changing the docker interface to be implicit would satisfy this use case.
A potential solution for this to be able to work with strict confinement would be to just fail if the user is not in the docker group and print a message saying they should add themselves to the group or they should run cot
with sudo.
This isn’t true, environment variables are still forwarded to snap apps.