One of the big selling points of Podman is its support for rootless containers: there are a few arguments made for this but the most significant appeal (IMHO) is that a developer can easily start up a container as a non-privileged user without needing an arrangement like Docker's persistent daemon, with a socket the non-root user can write to, opening up risks of privilege escalation.

For my use-case I don't think there are many advantages to rootless containers, and there may be drawbacks:

  • user namespacing and isolation between independent rootless containers
  • network arrangement
  • can they connect to a bridge netwrok?
  • slirp4netns: user mode TCP/IP network stack, TAP network device connected to it;
  • perforamnce?
  • benchmarks: https://github.com/rootless-containers/slirp4netns#iperf3-netns---host 2018,

fuse-overlayfs (usermode )

a non-privileged user can start up a container and the container runtime is never privileged. However for my use-case,

launch containers as root (not using rootless)

adv/dis

need slipr4netns to provide user-mode networking (unprivilegd network namespaces)

not comparing to native, CI apparently runs a benchmark job but I can't see it

Comments

Comments on this page are closed.