1.8 KiB
| lang | notice | title |
|---|---|---|
| en-us | I'm not an expert and this is just a summary of the information I've found. | How To Run Podman Containers Inside One User More Securely |
Previously, I ran containers as a single user with Podman mapping the UID in the container as root (without the --userns flag).
However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the harm done to the system could eventually be bigger.
An alternative to this approach is the usage of --userns=auto. This uses a separate user namespace as the root in the container. So every container has a different user namespace and therefore only permission to change files in this namespace. This is especially helpful in production.
Another method is userns=nomap. As far as I understand, this maps all container root users to the first UID in the subuid range (available child namespaces). This means the containers don't have the same permission as my user but they all share another namespace.
So to quote Daniel J Walsh:
"You could also setup a Huge /etc/subuid range for a user and then run lots of containers for that user with --userns=auto ... Which is probably the most secure." [1]
Reference list
- https://www.redhat.com/sysadmin/rootless-podman-user-namespace-modes
- https://github.com/containers/podman/discussions/13728
- https://github.com/containers/podman/discussions/11366
- https://docs.podman.io/en/v4.4/markdown/options/userns.container.html
- [1] https://github.com/containers/podman/discussions/13728#discussioncomment-2900471
- man: user_namespaces