From what I have seen, rootless podman seems to take more effort than rootful one. I want to make a more informed decision for the containers, so I would like to ask.
- What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
- One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should I run podman services on a non-privileged user?
Thank you!
One of the main advantage of podman is that, it respects the firewall rules. Docker don’t do that. Also having rootless podman means if somehow the container went rogue, it cannot have access to your root directory and perform malicious actions.
Also podman is a drop in replacement for docker. It does not need much configurations to setup. If you need compose, you might need to install podman-compose as well.
I always hear podman is a drop in replacement, but every time I try most of my stack doesn’t work. Permissions seem to be the issue most of the times, even when I create new volumes. I will try again in a few years probably, but I’m not holding my breath
Look into podman quadlets. Its containers as systemd services, and its excellent. They run as root by default, but can be run at a user level pretty easily. Ive had no permissions issues as long as you define the user/group in the config and ensure they habe the correct rights to the required folders.
It does take translation from docker compose files, but it’s entirely doable. Most of the environmental variables translate straight across.