From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.
- What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
- One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?
Thank you!
With root permission you can do chroot.Edit, I did some digging and found that its not the normal files that they can access but can modify kernel parameters and can mount devices and access their files etc. If you want to learn more check https://stackoverflow.com/questions/36425230/privileged-containers-and-capabilities
Can you provide the required arguments for chroot? I’ve just opened the bash shell of a running container (docker exec -it mycontainer bash) and tried to “break out” using “chroot /”. I can’t access any files of the host.
https://stackoverflow.com/questions/36425230/privileged-containers-and-capabilities