I have some few docker containers (along with quite a view LXD containers) running on a manjaro powered Laptop. In junction with getting started playing with kubernetes I plan to replace docker with podman and wanted to confirm my understanding of the matter is correct thus far.
docker and podman should be able to co-exist on the same host so there is no need to get rid of them or migrate anything.
sudo pacman -Syu podman should be sufficient to get going
LXD plays in a completely different sandbox and likewise no further consideration have to be done in that direction
same (no further considerations required) applies to KVM/libvirt machines
any comments, confirmations, corrections on the above assumptions would be very much appreciated
there is one comment right at the beginning that sounds a bit contraditional
Rootless Podman
Warning: Podman rootless relies on the unprivileged user namespace usage (CONFIG_USER_NS_UNPRIVILEGED) which has some serious security implications
and then
By default only root is allowed to run containers (or namespaces in kernelspeak). Running rootless Podman improves security as an attacker will not have root privileges over your system, and also allows multiple unprivileged users to run containers on the same machine. See also podman(1) § Rootless mode.
so I am wandering what it is then … more secure or less secure?
I saw a talk from D. Walsh (I believe one of the redhat engineers involved with the creation of podman) and he stresses the rootless thing being an advantage over docker several time. So I believe the rootless = more secure doctrine is the right one
Since CONFIG_USER_NS_UNPRIVILEGED is enabled by default, it doesn’t really matter. Only if you disabled it via sysclt or kernel command line.
So rootless is more secure as a container running as root, since the root in the container is not also root on the host.
Before CONFIG_USER_NS_UNPRIVILEGED , it was necessary to be a privileged process to switch the namespace. With CONFIG_USER_NS_UNPRIVILEGED , any process can switch the namespace, if set up. You might see why it increases the so called attack surface.