Sure, docker-compose is great, but could we get similar functionality using just the tools that are built into CoreOS? Can we get automatic updates, too? Yes we can! 📦
  • hottari@lemmy.mlEnglish
    24·
    1 year ago

    Not sure relying on podman alone as a security tool might be advisable. Podman is a container technology first, security is not the main goal.

    Read more about rootless docker here.

    • Dandroid@dandroid.appEnglish
      2·
      1 year ago

      I never said I was relying on it alone. Not sure why you think that.

      That’s a great link. Thank you for sharing. It’s good that docker supports this functionality now.

      • hottari@lemmy.mlEnglish
        12·
        1 year ago

        I never said I was relying on it alone. Not sure why you think that.

        …all my services aren’t running as root.

        If it turns out a vulnerability is discovered in lemmy tomorrow that allows people to access my server through my lemmy container, the attacker will only have access to a dummy account that hosts my containers.

        This was your argument according to you for why you think podman is more secure (than docker I presume). Seemed to imply rootless podman will save you from an attacker. I was simply disproving the flawed notion.

        • BlueBockser@programming.devEnglish
          1·
          1 year ago

          I think you’re interpreting too much. Security is about layers and making it harder for attackers, and that’s exactly what using a non-root user does.

          In that scenario, the attacker needs to find and exploit another vulnerability to gain root access, which takes time - time which the attacker might not be willing to spend and time which you can use to respond.