this post was submitted on 15 Mar 2025
56 points (100.0% liked)

Selfhosted

44837 readers
851 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
56
Advantages of rootless podman? (sh.itjust.works)
submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/[email protected]
27 comments fedilink hide all child comments
 

From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.

  1. What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
  2. One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?

Thank you!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 31 points 1 week ago (12 children)

One of the main advantage of podman is that, it respects the firewall rules. Docker don't do that. Also having rootless podman means if somehow the container went rogue, it cannot have access to your root directory and perform malicious actions.

Also podman is a drop in replacement for docker. It does not need much configurations to setup. If you need compose, you might need to install podman-compose as well.

[–] [email protected] 1 points 1 week ago (5 children)

How would a rogue container be able to access the root directory of the host? Wouldn't it just be able to access the data on the docker volumes? Thank you.

[–] [email protected] 3 points 1 week ago* (last edited 1 week ago) (1 children)

~~With root permission you can do chroot.~~

Edit, I did some digging and found that its not the normal files that they can access but can modify kernel parameters and can mount devices and access their files etc. If you want to learn more check https://stackoverflow.com/questions/36425230/privileged-containers-and-capabilities

[–] [email protected] 1 points 1 week ago (1 children)

Can you provide the required arguments for chroot? I've just opened the bash shell of a running container (docker exec -it mycontainer bash) and tried to "break out" using "chroot /". I can't access any files of the host.

[–] [email protected] 1 points 1 week ago (1 children)
[–] [email protected] 1 points 1 hour ago

Thank you, but this only applies to priviledged containers (which are normally not used and should not be used)

load more comments (3 replies)
load more comments (9 replies)