• azdle@news.idlestate.org
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    If your distro offers it, rootless podman + podman system service is the best setup, IMO. That will give you a docker command that is 1-to-1 compatible with docker and lets you use tools like docker-compose that expect a docker service socket. Then you can just follow tutorials that only explain things for docker.

    • ssdfsdf3488sd@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      will it let you do rootless nfs mounts into the container? That’s the showstopper for me, as that is by far the best way to just make this all work within the context of my file storage.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      What is rootless bring brought up so much? It’s a container, it’s isolated from the host anyway, what does it matter what user runs inside? And if something breaks into the container they can trash the app in it and the shared volumes anyway, even if they’re not root.

      • azdle@news.idlestate.org
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        edit-2
        1 year ago

        Defense in depth. If something escapes the container it’s limited to only what’s under that user and not the whole system. Having access to the whole system makes it easier for malware to hide/persist itself.

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          Correct me if I’m wrong but containerization is enforced by the kernel, correct? If something escapes you’re pretty much screwed anyway.

          • Atemu@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            There are many layers involved in preventing escapes from containers.

      • MartianSands@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Because a container is only as isolated from the host as you want it to be.

        Suppose you run a container and mount the entire filesystem into it. If that container is running as root, it can then read and write anything it likes (including password databases and /etc/sudo)

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          So what? If I mount / in the container and choose to run it as root that’s my business. Why would the containerization engine second-guess what I’m doing?

          How would you like it if sudo told you “I can’t let you be root, you could read and write anything you like, including password databases and /etc/sudo”?

          • IAm_A_Complete_Idiot@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            The point is to minimize privilege to the least possible - not to make it impossible to create higher privileged containers. If a container doesn’t need to get direct raw hardware access, manage low ports on the host network, etc. then why should I give it root and let it be able to do those things? Mapping it to a user, controlling what resources it has access to, and restricting it’s capabilities means that in the event that my container gets compromised, my entire host isn’t necessarily screwed.

            We’re not saying “sudo shouldn’t be able to run as root” but that “by default things shouldn’t be run with sudo - and you need a compelling reason to swap over when you do”