Replies: 2 comments
-
@abitrolly This issue does not seem actionable to me. Whether you use |
Beta Was this translation helpful? Give feedback.
0 replies
-
@abitrolly I think it's more a discussion on if "nerdctl can be a secure unprivileged podman alternative", so convert to discussion :) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
What is the problem you're trying to solve
podman
is without a doubt secure as long as Linux containers are. However, using it without shooting yourself in a foot with SELinux is impossible for ordinary user.podman
requires all volumes to be suffixed with :Z or :z and when you accidentally run this command in HOME, you get SNAFU. Not just forpodman
, but for all apps that rely on correct SELinux label in their dirs.The problems don't end there. To run unprivileged container that sets own USER option, one need to do some magic UID/GID tricks to write to its volume, which should be obvious for kernel developers, but not for users. Even with explanations I've been given in containers/podman#16258 I have to admit that I don't get it, because so far I could not make it work. It is either container is unable to write to my volume, or it creates files that I can not access on my part.
Describe the solution you'd like
I want to see if
nerdctl
can be used as an alternative topodman
to run unprivileged containers without sacrificing on security? I am ready to give up SELinux and stuff, as I've already spend too much time trying to be a lawful citizen of the Fedora with it. But I still don't want to go privileged way of doing things yet.Additional context
No response
Beta Was this translation helpful? Give feedback.
All reactions