Podman can use unprivileged user namespaces to allow non-root users to start containers. This means that the root inside the container is no longer also the root outside the container. Less root is better, so clearly we should all be running our containers without root, right?
Unfortunately, rootless container networking has some drawbacks (which differ depending on the implementation you use). Can't we start our containers without root to ensure our processes are unprivileged, while still using normal, rooted networking?
Turns out we can! This is the story of how I researched a possibility mentioned on the last slide of a 2021 presentation and in an article on the podman list to use root networking with unrooted podman containers.
Warning: you might learn more than you want about how network namespaces work.
https://sched.co/1MYkl
Please take the opportunity to connect and share this video with your friends and family if you find it useful.
No Comments