Replacing docker with podman

I have some few docker containers (along with quite a view LXD containers) running on a manjaro powered Laptop. In junction with getting started playing with kubernetes I plan to replace docker with podman and wanted to confirm my understanding of the matter is correct thus far.

  1. docker and podman should be able to co-exist on the same host so there is no need to get rid of them or migrate anything.
  2. sudo pacman -Syu podman should be sufficient to get going
  3. LXD plays in a completely different sandbox and likewise no further consideration have to be done in that direction
  4. same (no further considerations required) applies to KVM/libvirt machines

any comments, confirmations, corrections on the above assumptions would be very much appreciated

I’ve not tried to run both on my system, but I set up podman once to run containers rootless and it’s been working fine.

As always: Arch wiki is an excellent source of information

Thx, I am aware of that article

there is one comment right at the beginning that sounds a bit contraditional

Rootless Podman

Warning: Podman rootless relies on the unprivileged user namespace usage (CONFIG_USER_NS_UNPRIVILEGED) which has some serious security implications

and then

By default only root is allowed to run containers (or namespaces in kernelspeak). Running rootless Podman improves security as an attacker will not have root privileges over your system, and also allows multiple unprivileged users to run containers on the same machine. See also podman(1) § Rootless mode.

so I am wandering what it is then … more secure or less secure?

I saw a talk from D. Walsh (I believe one of the redhat engineers involved with the creation of podman) and he stresses the rootless thing being an advantage over docker several time. So I believe the rootless = more secure doctrine is the right one

Since CONFIG_USER_NS_UNPRIVILEGED is enabled by default, it doesn’t really matter. Only if you disabled it via sysclt or kernel command line.

So rootless is more secure as a container running as root, since the root in the container is not also root on the host.

Before CONFIG_USER_NS_UNPRIVILEGED , it was necessary to be a privileged process to switch the namespace. With CONFIG_USER_NS_UNPRIVILEGED , any process can switch the namespace, if set up. You might see why it increases the so called attack surface.

1 Like