From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.
- What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
- One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?
Thank you!
You must log in or register to comment.
One of the main advantage of podman is that, it respects the firewall rules. Docker don’t do that. Also having rootless podman means if somehow the container went rogue, it cannot have access to your root directory and perform malicious actions.
Also podman is a drop in replacement for docker. It does not need much configurations to setup. If you need compose, you might need to install podman-compose as well.
I always hear podman is a drop in replacement, but every time I try most of my stack doesn’t work. Permissions seem to be the issue most of the times, even when I create new volumes. I will try again in a few years probably, but I’m not holding my breath
You need to add
:Zto the end of your volume lines, or lowercasezfor shared volumes.I’m running 50+ containers, probably most of the popular ones, and all working fine.
You made me try again, and I again failed. For example, Navidrome has this issue: https://github.com/navidrome/navidrome/issues/2967
It seems aside from :z i have to remap the user namespace, which I remember trying in the past too and getting mixed results (some worked, some still didn’t). I get this is not a podman issue (also affects rootless docker), but given the default behavior of docker is root, I am not having this issue.
The others didn’t seem to fail at creation, which is a good thing, but I recall some had issues interacting with each other (files created by one not being readable by another and such). Might try with some other navidrome image (or equivalent subsonic server) but unless it’s as easy as adding :z, I don’t think ill be able to continue Thanks in any case :)
How would a rogue container be able to access the root directory of the host? Wouldn’t it just be able to access the data on the docker volumes? Thank you.
With root permission you can do chroot.Edit, I did some digging and found that its not the normal files that they can access but can modify kernel parameters and can mount devices and access their files etc. If you want to learn more check https://stackoverflow.com/questions/36425230/privileged-containers-and-capabilities
Can you provide the required arguments for chroot? I’ve just opened the bash shell of a running container (docker exec -it mycontainer bash) and tried to “break out” using “chroot /”. I can’t access any files of the host.
Thank you, but this only applies to priviledged containers (which are normally not used and should not be used)
This answers all of your questions: https://github.com/containers/podman/discussions/13728 (link was edited, accidentally linked a redhat blog post that didn’t answer your Q directly but does make clear that specifying a user in rootless podman is important for security for the user running the rootless podman container if that user does more than just run the rootless podman container).
So the best defense plus ease of use is podman root assigning non-root UIDs to the containers. You can do the same with Docker, but Docker with non-root UIDs assigned still caries the risk of the root-level Docker daemon being hacked and exploited. Podman does not have a daemon to be hacked and exploited, meaning root Podman with non-root UIDs assigned has no downsides!
Thanks a lot for on-point answer! I wish the answered in the issue wrote a blog post, it would have been of great help.
I wish too for an in-depth blog post, but the github answer is at least succinct enough
