• 1 Post
  • 11 Comments
Joined 2 months ago
cake
Cake day: January 28th, 2025

help-circle






  • Shimitar@downonthestreet.eutoSelfhosted@lemmy.worldAdvantages of rootless podman?
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    edit-2
    1 day ago

    Maybe one would be sufficient, but for better separation and to have a single startup script for every service I prefer to keep them on different users.

    In this way, also the data of each service is created with a different user and cannot be messed up by a rogue service…

    And why let that user access root in any way? Even via sudo? No need. No risk.

    One service one user. Simple security and separation policy



  • Shimitar@downonthestreet.eutoSelfhosted@lemmy.worldAdvantages of rootless podman?
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    1
    ·
    edit-2
    2 days ago

    A rootless container is good for security.

    A lifetime old basic rule is never run anything as root, not even your podman :)

    I only ever use rootless podman jn my system and I fond it pretty easy to actually run: zero effort whatsoever.

    Why you say it’s complicated?

    Yes I always create one unprivileged user (not even in the sudoers or wheel group ofc) for every service I containerize. And create a dedicated network for the service too.

    It only takes a few lines in a normal docker compose yaml.

    Also I use docker compose on podman, yes docker compose not podman compose.

    Edit2: refer to this post of mine on how installed immich on rootless podman https://wiki.gardiol.org/doku.php?id=services%3Aimmich as you can see, the most complex part is… Useradd & mkdir LOL

    Edit: also podman play nice with iptables and nft (which should be always preferred nowadays) instead docker can mess your system good, and don’t work with nft tables, unless quirks quirks…