Podman Security
podman(1) is designed to simplify the networking and process management that make dockerd(8) difficult to harden.
Contents
Rootless Mode
It is possible to avoid the use of root entirely.
On Fedora and derivative distributions, podman(1) is pre-configured to run in this manner.
On Arch Linux, install the fuse-overlayfs package.
Configure /etc/subuid with a user name, UID range start, and UID range size.
somebody:165536:65536
Similarly, configure /etc/subgid like:
somebody:165536:65536
Finally run podman system migrate to make the pause process reload.
It may be necessary to also enable lingering, so that user owned processes can remain running after logout.
loginctl enable-linger username