(codesmash.dev)

1101 points codesmash | 1 comments | 05 Sep 25 11:56 UTC | HN request time: 0.44s | source

Show context

miki123211 ◴[05 Sep 25 15:37 UTC] No.45139800[source]▶

I've been dealing with setting up Podman for work over the last week or so, and I wouldn't wish that on my worst enemy.

If you use rootless Podman on a Redhat-derived distribution (which means Selinux), along with a non-root user in your container itself, you're in for a world of pain.

replies(13): >>45139949 #>>45139952 #>>45140035 #>>45140041 #>>45140112 #>>45140315 #>>45140558 #>>45140561 #>>45140736 #>>45140993 #>>45141204 #>>45141405 #>>45142506 #

Nextgrid ◴[05 Sep 25 16:04 UTC] No.45140112[source]▶

>>45139800 #

I've never seen the benefit of rootless.

Either the machine is a single security domain, in which case running as root is no issue, or it's not and you need actual isolation in which case run VMs with Firecracker/Kata containers/etc.

Rootless is indeed a world of pain for dubious security promises.

replies(3): >>45140192 #>>45140341 #>>45141552 #

1. bbkane ◴[05 Sep 25 16:10 UTC] No.45140192[source]▶

>>45140112 #

I see your point but I wouldn't let the perfect be the enemy of the good.

If I just want to run a random Docker container, I'm grateful I can get at least "some security" without paying as much in setup/debugging/performance.

Of course, ideally I wouldn't have to choose and the thing that runs the container would be able to run it perfectly securely without me having to know that. But I appreciate any movement in that direction, even if it's not perfect.

↑

I ditched Docker for Podman