-
Based on this discussion, @rhatdan stated that But is the isolation in a unique UserNS as secure as running podman from an unprivileged user? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 10 replies
-
It is actually more secure. If you run two containers as a rootless user, they run in the same user namespace so they can attack each other from a User Namespace point of view. If you run two containers as root with podman run --userns auto, then they run in unigue user namespace and are isolated. Rootless containers are great for containers run by users on a system, but if you are just running containers on a server, then --userns=auto is a more secure solution. (I plan on writing a blog on this). |
Beta Was this translation helpful? Give feedback.
-
Can you please remember to write a short blog post stating that a rootful podman is safer than a rootless podman? I'm really struggling to convince other users of this. Maybe a short notice in the README would be enough? |
Beta Was this translation helpful? Give feedback.
-
One thing related to this...what would I think be quite cool is integration with systemd |
Beta Was this translation helpful? Give feedback.
It is actually more secure. If you run two containers as a rootless user, they run in the same user namespace so they can attack each other from a User Namespace point of view.
If you run two containers as root with podman run --userns auto, then they run in unigue user namespace and are isolated.
Rootless containers are great for containers run by users on a system, but if you are just running containers on a server, then --userns=auto is a more secure solution. (I plan on writing a blog on this).