Hi all !
As of today, I am running my services with rootless podman pods and containers. Each functional stack gets its dedicated user (user cloud runs a pod with nextcloud-fpm, nginx, postgresql…) with user mapping. Now, my thought were that if an attack can escape a container, it should be contained to a specific user.
Is it really meaningful ? With service users’ home setup in /var/lib, it makes a lot of small stuff annoying and I wonder if the current setup is really worth it ?
What kind of annoying things are you dealing with?
You don’t have to put the user home in /var/lib either if that helps at all.
If you’re already running rootless, I’d keep doing that unless there’s a really good reason not to.