From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.
- What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
- One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?
Thank you!
You need to add
:Z
to the end of your volume lines, or lowercasez
for shared volumes.I’m running 50+ containers, probably most of the popular ones, and all working fine.
I don’t necessarily agree with it, but there’s the third option of just disabling SELinux and removing the frustration entirely.