pleroma.debian.social

Rootless (podman) containers. What are the security advantages versus launched-as-root-but-container-runs-as-nonroot ? Is it just the reduced surface area of the podman binary doing the launching, before dropping privileges? Is there something more?
replies
1
announces
1
likes
1

@fanf it doesn’t, no: so the risk surface (for launching as uid 0) is just whatever it does before spawning the (non-uid 0) container subprocess (plus anything that lingers. I see it might spawn a sidecar “conmon” process for example).