Podman Security

podman(1) is designed to simplify the networking and process management that make dockerd(8) difficult to harden.


Rootless Mode

It is possible to avoid the use of root entirely.

On Fedora and derivative distributions, podman(1) is pre-configured to run in this manner.

On Arch Linux, install the fuse-overlayfs package.

Configure /etc/subuid with a user name, UID range start, and UID range size.

somebody:165536:65536

Similarly, configure /etc/subgid like:

somebody:165536:65536

Finally run podman system migrate to make the pause process reload.

It may be necessary to also enable lingering, so that user owned processes can remain running after logout.

loginctl enable-linger username


CategoryRicottone

Podman/Security (last edited 2023-04-05 16:55:24 by DominicRicottone)