[bootsmann]

Glad that podman is getting more traction tbh, too many tools are built with the assumption that people add the sudo docker group which break if you have any kind of security conscious docker setup (such as not blindly giving it root access).

[steveBK123]

I always find it amusing that the cutting edge future of serverless/containers/etc was built on the back of running a bunch of stuff as root.

Very cool.

[jazzyjackson]

I'm trying to get up to speed with docker atm, is it the applications inside the container that are typically running as root (which people are careless about from a "whats the worst that can happen" attitude?) or is the typical pattern that people are running the docker host process as root (maybe in order to allow the host to expose ports at 80/443 without some reverse proxy/firewall in front of it?)

[zamalek]

With the default Docker installation, root in a container is root on the host. uid 1234 is uid 1234 on the host.

With Podman (and Docker rootless), subuids/subgids[1] are _usually_ used. Root in the container is root only within the Linux user namespace. You can map users to real users, including yourself and root - which is how distrobox works, but it's secure by default: your subordinate users can't even access your resources.

The primary limitation of rootless is networking, the kernel doesn't have a built-in way to do rootless networking in the way that you want for containers.

[1]: https://www.man7.org/linux/man-pages/man5/subuid.5.html

[steveBK123]

Yes the default is insane. Orgs that took away root from devs two decades ago let some of this stuff slip through..