Rootless (podman) containers. What are the security advantages versus launched-as-root-but-container-runs-as-nonroot ? Is it just the reduced surface area of the podman binary doing the launching, before dropping privileges? Is there something more?
- replies
- 1
- announces
- 1
- likes
- 1
@fanf it doesn’t, no: so the risk surface (for launching as uid 0) is just whatever it does before spawning the (non-uid 0) container subprocess (plus anything that lingers. I see it might spawn a sidecar “conmon” process for example).