From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.
- What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
- One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?
Thank you!
This answers all of your questions: https://github.com/containers/podman/discussions/13728 (link was edited, accidentally linked a redhat blog post that didn’t answer your Q directly but does make clear that specifying a user in rootless podman is important for security for the user running the rootless podman container if that user does more than just run the rootless podman container).
So the best defense plus ease of use is podman root assigning non-root UIDs to the containers. You can do the same with Docker, but Docker with non-root UIDs assigned still caries the risk of the root-level Docker daemon being hacked and exploited. Podman does not have a daemon to be hacked and exploited, meaning root Podman with non-root UIDs assigned has no downsides!
Thanks a lot for on-point answer! I wish the answered in the issue wrote a blog post, it would have been of great help.
I wish too for an in-depth blog post, but the github answer is at least succinct enough