• 1 Post
  • 2 Comments
Joined 2 years ago
cake
Cake day: June 11th, 2023

help-circle

  • glizzyguzzler@lemmy.blahaj.zonetoSelfhosted@lemmy.worldPodman or rootless docker?
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    edit-2
    1 month ago

    Hey bigdickdonkey, I recently tried and wasn’t able to shit my way through podman, there just wasn’t enough chatter and guides about it. I plan to revisit it when Debian 13 comes out, which will include podman quadlets. I also tried to get podman quadlets to work on Ubuntu 24 and got closer, but still didn’t manage and Ubuntu is squicky.

    I read about true user rootless Docker and decided that was too finicky to keep up to date. It needs some annoying stuff to update, from what I could tell. I was planning on many users having their own containers, and that would have gotten annoying to manage. Maybe a single user would be an OK burden.

    The podman people make a good argument for running podman as root and using userns to divvy out UIDs to achieve rootless https://www.redhat.com/en/blog/rootless-podman-user-namespace-modes but since podman is on the back burner till there’s more community and Debian 13, I applied that idea to Docker.

    So I went with root Docker with the goals of:

    • read only
    • set user to different UID:GID for each container
    • silo containers in individual Docker networks
    • nothing gets /var/run/docker.sock
    • cap_drop: all
    • security-opt=no-new-privileges
    • volumes all get tagged with :rw,noexec,nosuid,nodev,Z

    Basically it’s the security best practices from this list https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html

    This still has risk of the Docker daemon being hacked from the container itself somehow, which podman eliminates, but it’s as close to the podman ideal I can get within my knowledge now.

    Most things will run as rootless+read-only+cap_drop with minor messing. Automatic ripping machine would not, but that project is a wild ride of required permissions. Everything else has succumbed, but I’ve needed to sometimes have a “pre launch container” to do permission changes or make somewhere like /opt writable.

    I would transition one app stack at a time to the best security practices, and it’s easier since you don’t need to change container managers. Hope this helps!