From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.

  1. What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
  2. One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?

Thank you!

  • asap@lemmy.worldEnglish
    1·
    21 hours ago

    You need to add :Z to the end of your volume lines, or lowercase z for shared volumes.

    I’m running 50+ containers, probably most of the popular ones, and all working fine.

    • Railcar8095@lemm.eeEnglish
      1·
      2 hours ago

      You made me try again, and I again failed. For example, Navidrome has this issue: https://github.com/navidrome/navidrome/issues/2967

      It seems aside from :z i have to remap the user namespace, which I remember trying in the past too and getting mixed results (some worked, some still didn’t). I get this is not a podman issue (also affects rootless docker), but given the default behavior of docker is root, I am not having this issue.

      The others didn’t seem to fail at creation, which is a good thing, but I recall some had issues interacting with each other (files created by one not being readable by another and such). Might try with some other navidrome image (or equivalent subsonic server) but unless it’s as easy as adding :z, I don’t think ill be able to continue Thanks in any case :)

    • felbane@lemmy.worldEnglish
      1·
      11 hours ago

      I don’t necessarily agree with it, but there’s the third option of just disabling SELinux and removing the frustration entirely.