Hi all !
As of today, I am running my services with rootless podman pods and containers. Each functional stack gets its dedicated user (user cloud runs a pod with nextcloud-fpm, nginx, postgresql…) with user mapping. Now, my thought were that if an attack can escape a container, it should be contained to a specific user.
Is it really meaningful ? With service users’ home setup in /var/lib, it makes a lot of small stuff annoying and I wonder if the current setup is really worth it ?
I am already running rootless podman. My question is more about dedicated service users vs single user to run everything, still in rootless podman. I like podman and its integration with systemd to manage the life cycle of the container compared to docker.