From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.

  1. What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
  2. One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?

Thank you!

  • ShimitarA
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    edit-2
    13 hours ago

    A rootless container is good for security.

    A lifetime old basic rule is never run anything as root, not even your podman :)

    I only ever use rootless podman jn my system and I fond it pretty easy to actually run: zero effort whatsoever.

    Why you say it’s complicated?

    Yes I always create one unprivileged user (not even in the sudoers or wheel group ofc) for every service I containerize. And create a dedicated network for the service too.

    It only takes a few lines in a normal docker compose yaml.

    Also I use docker compose on podman, yes docker compose not podman compose.

    Edit2: refer to this post of mine on how installed immich on rootless podman https://wiki.gardiol.org/doku.php?id=services%3Aimmich as you can see, the most complex part is… Useradd & mkdir LOL

    Edit: also podman play nice with iptables and nft (which should be always preferred nowadays) instead docker can mess your system good, and don’t work with nft tables, unless quirks quirks…

    • cmgvd3lw@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 hours ago
      1. What is the benefit of creating users for every service? Wouldn’t one be sufficient?
      2. Also just out of curiosity, why not in sodo’ers list?
      • ShimitarA
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        4 hours ago

        Maybe one would be sufficient, but for better separation and to have a single startup script for every service I prefer to keep them on different users.

        In this way, also the data of each service is created with a different user and cannot be messed up by a rogue service…

        And why let that user access root in any way? Even via sudo? No need. No risk.

        One service one user. Simple security and separation policy

        • glizzyguzzler@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 hour ago

          I do this but with root Docker, every service gets a user:####:#### and that #### is tied to a useradd I made. Chown the data directory the container is given and it just works. In Docker this does not work for Linuxserver images but podman has way more user: specifications so I have a feeling Linuxserver images will work there with the user restrictions.

          For something like Gotenberg which is part of paperless ngx I gave Gotenberg its own user too, it has chromium and might ingest a malicious pdf somehow or something. Might as well keep Gotenberg from being able to hose the rest of paperless!

          I do plan to move to podman with 5.0+ in Debian 13 and that will remove the Docker daemon attack surface and the occasional firewall issues that come with Docker. So I’m not advocating for Docker over podman here.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      10 hours ago

      this post of mine

      You have a typo in the title for the section about backups.

      In that post you use the compose format. Have you used quadlet? My understanding is that’s the “preferred” way to do things, I’ve also had some issues and am trying to decide if it’s worth it. Any thoughts?

      • ShimitarA
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 hours ago

        No, quadlet seems to require systemd and I run OpenRC.

      • asap@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        10 hours ago

        I run 50+ containers with rootless Podman compose (on CoreOS) and haven’t encountered any unsolvable issues so far.

        I’ve never tried quadlets but haven’t found a need or any driving reason to do so.

  • cmgvd3lw@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    2
    ·
    16 hours ago

    One of the main advantage of podman is that, it respects the firewall rules. Docker don’t do that. Also having rootless podman means if somehow the container went rogue, it cannot have access to your root directory and perform malicious actions.

    Also podman is a drop in replacement for docker. It does not need much configurations to setup. If you need compose, you might need to install podman-compose as well.

    • Railcar8095@lemm.ee
      link
      fedilink
      English
      arrow-up
      5
      ·
      8 hours ago

      I always hear podman is a drop in replacement, but every time I try most of my stack doesn’t work. Permissions seem to be the issue most of the times, even when I create new volumes. I will try again in a few years probably, but I’m not holding my breath

  • glizzyguzzler@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    15 hours ago

    This answers all of your questions: https://github.com/containers/podman/discussions/13728 (link was edited, accidentally linked a redhat blog post that didn’t answer your Q directly but does make clear that specifying a user in rootless podman is important for security for the user running the rootless podman container if that user does more than just run the rootless podman container).

    So the best defense plus ease of use is podman root assigning non-root UIDs to the containers. You can do the same with Docker, but Docker with non-root UIDs assigned still caries the risk of the root-level Docker daemon being hacked and exploited. Podman does not have a daemon to be hacked and exploited, meaning root Podman with non-root UIDs assigned has no downsides!

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    16 hours ago

    Rootless podman means that it is less likely to bork the system. It is also nice to have per user containers.

    Another benefit is that you can run podman in a service user. This makes sandboxing much easier.