(codesmash.dev)

1101 points codesmash | 1 comments | 05 Sep 25 11:56 UTC | HN request time: 0s | source

Show context

miki123211 ◴[05 Sep 25 15:37 UTC] No.45139800[source]▶

I've been dealing with setting up Podman for work over the last week or so, and I wouldn't wish that on my worst enemy.

If you use rootless Podman on a Redhat-derived distribution (which means Selinux), along with a non-root user in your container itself, you're in for a world of pain.

replies(13): >>45139949 #>>45139952 #>>45140035 #>>45140041 #>>45140112 #>>45140315 #>>45140558 #>>45140561 #>>45140736 #>>45140993 #>>45141204 #>>45141405 #>>45142506 #

Nextgrid ◴[05 Sep 25 16:04 UTC] No.45140112[source]▶

>>45139800 #

I've never seen the benefit of rootless.

Either the machine is a single security domain, in which case running as root is no issue, or it's not and you need actual isolation in which case run VMs with Firecracker/Kata containers/etc.

Rootless is indeed a world of pain for dubious security promises.

replies(3): >>45140192 #>>45140341 #>>45141552 #

1. pkulak ◴[05 Sep 25 18:00 UTC] No.45141552[source]▶

>>45140112 #

Rootless is nice because if you mount some directory in, all the files don't end up owned by root. You can get around that by custom building every image so the user has your user id, but that's a pain.

↑

I ditched Docker for Podman