←back to thread

I ditched Docker for Podman

(codesmash.dev)
1101 points codesmash | 1 comments | 05 Sep 25 11:56 UTC | HN request time: 0s | source
Show context
0xbadcafebee ◴[05 Sep 25 18:28 UTC] No.45141926[source]
If "security" is the reason you're switching to Podman, I have some bad news.

Linux gets a new privilege escalation exploit like once a month. If something would break out of the Docker daemon, it will break out of your own user account just fine. Using a non-root app does not make you secure, regardless of whatever containerization feature claims to add security in your own user namespace. On top of all that, Docker has a rootless mode. https://docs.docker.com/engine/security/rootless/

The only things that will make your system secure are 1) hardening every component in the entire system, or 2) virtualization. No containers are secure. That's why cloud providers all use mini-VMs to run customer containers (e.g. AWS Fargate) or force the customer to manage their own VMs that run the containers.

replies(1): >>45142491 #
amclennon ◴[05 Sep 25 19:17 UTC] No.45142491[source]
> That's why cloud providers all use mini-VMs to run customer containers (e.g. AWS Fargate) or force the customer to manage their own VMs that run the containers.

This is only partially true. Google's runtime (gvisor) does not share a kernel with the host machine, but still runs inside of a container.

replies(2): >>45143261 #>>45143314 #
carwyn ◴[05 Sep 25 20:36 UTC] No.45143314[source]
Second generation moved away from gVisor:

https://cloud.google.com/blog/products/serverless/cloud-run-...

replies(1): >>45144117 #
1. amclennon ◴[05 Sep 25 21:55 UTC] No.45144117[source]
Ah, today I learned