| > root-less nature of podman I see this repeated a lot, but it's not the default, its has to be explicitly configured: https://github.com/containers/podman/blob/v3.3.1/docs/tutori... And in addition to the known upsides, there are some lesser known downsides: 1. There are feature limitations with it: https://github.com/containers/podman/blob/v3.3.1/rootless.md 2. There are security implications, quoting Arch Wiki: > Warning: Rootless Podman relies on the unprivileged user namespace usage (CONFIG_USER_NS_UNPRIVILEGED) which has some serious security implications, see Security#Sandboxing applications for details. Also worth noting that Docker itself has a rootless mode as well by now: https://docs.docker.com/engine/security/rootless/ I'm happy that there are Docker alternatives, but I have the feeling that podman has been hyped a lot recently and many articles and comments give the impression that it's more secure by default and without any downsides. |
https://people.kernel.org/brauner/runtimes-and-the-curse-of-...