this post was submitted on 15 Mar 2025
44 points (92.3% liked)

Selfhosted

44306 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
44
Advantages of rootless podman? (sh.itjust.works)
submitted 2 weeks ago* (last edited 2 weeks ago) by [email protected] to c/[email protected]
23 comments fedilink hide all child comments
 

From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.

  1. What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
  2. One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?

Thank you!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 2 weeks ago (2 children)

I always hear podman is a drop in replacement, but every time I try most of my stack doesn't work. Permissions seem to be the issue most of the times, even when I create new volumes. I will try again in a few years probably, but I'm not holding my breath

[–] [email protected] 2 points 2 weeks ago* (last edited 2 weeks ago)

Look into podman quadlets. Its containers as systemd services, and its excellent. They run as root by default, but can be run at a user level pretty easily. Ive had no permissions issues as long as you define the user/group in the config and ensure they habe the correct rights to the required folders.

It does take translation from docker compose files, but it's entirely doable. Most of the environmental variables translate straight across.

[–] [email protected] 1 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

You need to add :Z to the end of your volume lines, or lowercase z for shared volumes.

I'm running 50+ containers, probably most of the popular ones, and all working fine.

[–] [email protected] 1 points 2 weeks ago

I don't necessarily agree with it, but there's the third option of just disabling SELinux and removing the frustration entirely.