From what I have seen, rootless podman seems to take more effort than rootful one. I want to make a more informed decision for the containers, so I would like to ask.

  1. What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
  2. One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should I run podman services on a non-privileged user?

Thank you!

  • glizzyguzzler@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    0
    ·
    11 hours ago

    This answers all of your questions: https://www.redhat.com/en/blog/user-flag-rootless-containers

    So the best defense plus ease of use is podman root assigning non-root UIDs to the containers. You can do the same with Docker, but Docker with non-root UIDs assigned still caries the risk of the root-level Docker daemon being hacked and exploited. Podman does not have a daemon to be hacked and exploited, meaning root Podman with non-root UIDs assigned has no downsides!