From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.

  1. What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
  2. One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?

Thank you!

  • cmgvd3lwEnglish
    1·
    8 hours ago
    1. What is the benefit of creating users for every service? Wouldn’t one be sufficient?
    2. Also just out of curiosity, why not in sodo’ers list?
    • Shimitar@downonthestreet.euEnglish
      4·
      6 hours ago

      Maybe one would be sufficient, but for better separation and to have a single startup script for every service I prefer to keep them on different users.

      In this way, also the data of each service is created with a different user and cannot be messed up by a rogue service…

      And why let that user access root in any way? Even via sudo? No need. No risk.

      One service one user. Simple security and separation policy