Sure, docker-compose is great, but could we get similar functionality using just the tools that are built into CoreOS? Can we get automatic updates, too? Yes we can! 📦
I never said I was relying on it alone. Not sure why you think that.
…
…all my services aren’t running as root.
If it turns out a vulnerability is discovered in lemmy tomorrow that allows people to access my server through my lemmy container, the attacker will only have access to a dummy account that hosts my containers.
This was your argument according to you for why you think podman is more secure (than docker I presume). Seemed to imply rootless podman will save you from an attacker. I was simply disproving the flawed notion.
I think you’re interpreting too much. Security is about layers and making it harder for attackers, and that’s exactly what using a non-root user does.
In that scenario, the attacker needs to find and exploit another vulnerability to gain root access, which takes time - time which the attacker might not be willing to spend and time which you can use to respond.
I never said I was relying on it alone. Not sure why you think that.
…
This was your argument according to you for why you think podman is more secure (than docker I presume). Seemed to imply rootless podman will save you from an attacker. I was simply disproving the flawed notion.
I think you’re interpreting too much. Security is about layers and making it harder for attackers, and that’s exactly what using a non-root user does.
In that scenario, the attacker needs to find and exploit another vulnerability to gain root access, which takes time - time which the attacker might not be willing to spend and time which you can use to respond.