From what I have seen, rootless podman seems to take more effort than rootful one. I want to make a more informed decision for the containers, so I would like to ask.
- What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
- One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should I run podman services on a non-privileged user?
Thank you!
This answers all of your questions: https://www.redhat.com/en/blog/user-flag-rootless-containers
So the best defense plus ease of use is podman root assigning non-root UIDs to the containers. You can do the same with Docker, but Docker with non-root UIDs assigned still caries the risk of the root-level Docker daemon being hacked and exploited. Podman does not have a daemon to be hacked and exploited, meaning root Podman with non-root UIDs assigned has no downsides!
Thanks a lot for on-point answer! I wish the answered in the issue wrote a blog post, it would have been of great help.
I wish too for an in-depth blog post, but the github answer is at least succinct enough