undefined | Better HN

0 pointsjazzyjackson2y ago0 comments

I'm trying to get up to speed with docker atm, is it the applications inside the container that are typically running as root (which people are careless about from a "whats the worst that can happen" attitude?) or is the typical pattern that people are running the docker host process as root (maybe in order to allow the host to expose ports at 80/443 without some reverse proxy/firewall in front of it?)

0 comments

zamalek2y ago

With the default Docker installation, root in a container is root on the host. uid 1234 is uid 1234 on the host.

With Podman (and Docker rootless), subuids/subgids[1] are _usually_ used. Root in the container is root only within the Linux user namespace. You can map users to real users, including yourself and root - which is how distrobox works, but it's secure by default: your subordinate users can't even access your resources.

The primary limitation of rootless is networking, the kernel doesn't have a built-in way to do rootless networking in the way that you want for containers.

[1]: https://www.man7.org/linux/man-pages/man5/subuid.5.html

steveBK1232y ago

Yes the default is insane. Orgs that took away root from devs two decades ago let some of this stuff slip through..

j / k navigate · click thread line to collapse