From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.

  1. What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
  2. One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?

Thank you!

  • asap@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    5 hours ago

    Here’s my Navidrome config. This is running on uCore version of CoreOS, with rootless Podman and SELinux. I made no configuration changes to Podman out-of-the-box, and this is the full compose file.

    i have to remap the user namespace

    Note: I have not done this. What are you running Podman on? Perhaps there is some config issue with the host, since you’re having issues with many containers?

    To be fair, maybe just go with docker if it’s causing that much pain. But again, mine is working OOTB without making any changes to the Podman setup on ucore, and using the config below.

    services:
      navidrome:
        image: deluan/navidrome:latest
        container_name: navidrome
        ports:
          - "3015:4533"
        restart: unless-stopped
        environment:
          # Optional: put your config options customization here. Examples:
        volumes:
          - ./data:/data:Z
          - ./config.toml:/navidrome.toml:Z