[feirlane]

What is your opinion on podman rootless containers? In my mind running rootless containers as differe OS users for each application I'm hosting was an easy way of improving security and making sure each of those services could only mess with their own resources. Are there any known issues with that? Do you have experience with Podman? Would love to hear your thoughts

[movedx]

That sounds like a great option to me. The more functionality you can get out of a container without giving up privileges, the better. Podman is just a tool like any other - I'd happily use it if it's right for the job.

All I would say is: can you run that same thing without a containerisation layer? Remember that with things like ChatGPT it's _really_ easy to get a systemd unit file going for just about any service these days. A single prompt and you have a running service that's locked down pretty heavily.

[feirlane]

Yeah I could run them as regular systemd daemons themselves, but I would lose the easy isolation between different services and main OS. Feels easier to limit what the services have access to in the host OS by running them in containers.

I do run the containers as systemd user services however, so everything starts-up at boot, etc

[movedx]

You can isolate and lock down services in systemd too! Not too hard at all, and again AI can help here.

https://www.redhat.com/en/blog/mastering-systemd