Fl1tzi/fl1tzi.com
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

little correction

Browse source
This commit is contained in:
Fl1tzi 2023-10-03 18:49:09 +02:00
parent b4f925b9fc
commit e01dc8e8fc
No known key found for this signature in database
GPG key ID: 06B333727810C686
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
_posts/2023-10-03-podman-userns.md
View file

@ -6,7 +6,7 @@ title: How To Run Podman Containers Inside One User More Securely
Previously, I ran containers as a single user with Podman mapping the UID in the container as root (without the `--userns` flag).
However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the whole user directory could be changed.
However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the harm done to the system could eventually be bigger.
An alternative to this approach is the usage of `--userns=auto`. This uses a separate user namespace as the root in the container. So every container has a different user namespace and therefore only permission to change files in this namespace. This is especially helpful in production.

2
_site/2023/10/03/podman-userns.html
View file

@ -26,7 +26,7 @@
<section id="content">
<p>Previously, I ran containers as a single user with Podman mapping the UID in the container as root (without the <code class="language-plaintext highlighter-rouge">--userns</code> flag).</p>
<p>However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the whole user directory could be changed.</p>
<p>However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the harm done to the system could eventually be bigger.</p>
<p>An alternative to this approach is the usage of <code class="language-plaintext highlighter-rouge">--userns=auto</code>. This uses a separate user namespace as the root in the container. So every container has a different user namespace and therefore only permission to change files in this namespace. This is especially helpful in production.</p>