grvn Posted February 3 Share Posted February 3 Docker Inc. was the first company to give the users an easy-to-use way to isolate processes through Linux namespaces, cgroups etc. But its implementation came with a lot to desire when it comes to security and stability. docker runs as a daemon with root access, which means that the daemon is a single point of failure and the security has been applied as an add-on. Since docker was released other companies has implemented similar kind of easy-to-use way of isolating processes, but have taken the lessons learned from Docker Inc.s' implementation and done more stable and secure implementations. The most common one being podman. Podman is created as a drop-in replacement for docker. You can create an alias "docker" that points to the podman binary and most things will work right out of the box. Unlike docker, podman doesn't use a daemon and can run completely rootless. By giving the users of unraid the ability to use rootless podman instead of docker, you will give the users a more secure and stable platform than the alternative while still giving use the ability to run containerized workloads. 1 5 Quote Link to comment
frollard Posted February 5 Share Posted February 5 Given the small heart attack I just had with leaky-vessel vulnerabilities, podman might be a really smort alternative. URL for vulnerability, remove if not allowed. Spoiler https://www.bleepingcomputer.com/news/security/leaky-vessels-flaws-allow-hackers-to-escape-docker-runc-containers/ Quote Link to comment
T0rqueWr3nch Posted February 6 Share Posted February 6 This is a good recommendation. I never considered that a podman package might actually be available for Slackware. SlackBuilds.org - podman It even supports uid mapping. This would also avoid any conflict with switching over to rootless Docker, since we would no longer have to. Those who wish to stay running on Docker as root can continue to do so without breaking backward compatibility; those who want a little more security could switch over to podman. With some relatively light development, the web GUI frontend of Community Apps could even be configured to allow the optional use of podman (in the future; not necessary for this request). Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.