this post was submitted on 15 Mar 2025
56 points (100.0% liked)

Selfhosted

44902 readers
564 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
56
Advantages of rootless podman? (sh.itjust.works)
submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/[email protected]
27 comments fedilink hide all child comments
 

From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.

  1. What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
  2. One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?

Thank you!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 24 points 1 week ago* (last edited 1 week ago) (9 children)

A rootless container is good for security.

A lifetime old basic rule is never run anything as root, not even your podman :)

I only ever use rootless podman jn my system and I fond it pretty easy to actually run: zero effort whatsoever.

Why you say it's complicated?

Yes I always create one unprivileged user (not even in the sudoers or wheel group ofc) for every service I containerize. And create a dedicated network for the service too.

It only takes a few lines in a normal docker compose yaml.

Also I use docker compose on podman, yes docker compose not podman compose.

Edit2: refer to this post of mine on how installed immich on rootless podman https://wiki.gardiol.org/doku.php?id=services%3Aimmich as you can see, the most complex part is... Useradd & mkdir LOL

Edit: also podman play nice with iptables and nft (which should be always preferred nowadays) instead docker can mess your system good, and don't work with nft tables, unless quirks quirks...

[–] [email protected] 3 points 1 week ago (3 children)

Needing to deal with the services for startup for every single compose stack seems like such a pain to me, that's one of the big reasons I haven't switched.

[–] [email protected] 5 points 1 week ago* (last edited 1 week ago)

Nothing stops you to run them all from the same unprivileged user and start them all at once with a single command.

Set once and forget style.

[–] [email protected] 5 points 1 week ago

Put them in a pod and it's just systemctl --user start <name>-pod or sudo systemctl start <name>-pod. A pod is basically a compose file, but split across multiple files instead of chunks of yaml.

[–] [email protected] 1 points 1 week ago

What do you mean by that? Podman compose is a drop-in replacement for Docker compose, and everything is identical other than needing to add :Z to the end of your volume lines.

load more comments (5 replies)