little correction
This commit is contained in:
parent
b4f925b9fc
commit
e01dc8e8fc
|
@ -6,7 +6,7 @@ title: How To Run Podman Containers Inside One User More Securely
|
|||
|
||||
Previously, I ran containers as a single user with Podman mapping the UID in the container as root (without the `--userns` flag).
|
||||
|
||||
However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the whole user directory could be changed.
|
||||
However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the harm done to the system could eventually be bigger.
|
||||
|
||||
An alternative to this approach is the usage of `--userns=auto`. This uses a separate user namespace as the root in the container. So every container has a different user namespace and therefore only permission to change files in this namespace. This is especially helpful in production.
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@
|
|||
<section id="content">
|
||||
<p>Previously, I ran containers as a single user with Podman mapping the UID in the container as root (without the <code class="language-plaintext highlighter-rouge">--userns</code> flag).</p>
|
||||
|
||||
<p>However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the whole user directory could be changed.</p>
|
||||
<p>However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the harm done to the system could eventually be bigger.</p>
|
||||
|
||||
<p>An alternative to this approach is the usage of <code class="language-plaintext highlighter-rouge">--userns=auto</code>. This uses a separate user namespace as the root in the container. So every container has a different user namespace and therefore only permission to change files in this namespace. This is especially helpful in production.</p>
|
||||
|
||||
|
|
Loading…
Reference in a new issue