|
|
|
|
|
|
by ratorx
424 days ago
|
|
|
> the security aspect It’s not a systemd-specific thing, but systemd makes it relatively easy to drop privileges (like network in this case), whilst also allowing socket-activated services to be configured easily. You can probably achieve the same thing with inetd + network namespaces (I think this is what systemd uses under the hood) |
|
|
I wrote a demo: https://www.redhat.com/en/blog/podman-systemd-limit-access
Podman will then not have the privilege to pull the container image, but a web server container can still serve the internet with socket activation.