1. 15
  1. 4

    (disclosure: I work on containers, but this is my own opinion and not necessarily that of my employer)

    I don’t really agree that this is “more secure”. The strongest argument here is that podman’s use of fork/exec directly from the command that you run instead of a client/server model makes things more traceable when using auditctl/the Linux audit framework. A better title would be “Podman: A more auditable way to run containers” since that’s the central argument of the article.

    The last section adds a few other, otherwise unrelated, thoughts. SD_NOTIFY and socket activation are both systemd features that are unrelated to security. The portion about “running Podman and containers as a non-root user” is relevant to security, but claiming that you never use root privileges is somewhat imprecise; manipulating the primitives that make up a container (primarily namespaces and filesystem mounts) require elevated privileges (CAP_SYS_ADMIN) and the podman binary thus either needs setuid or setcap bits.