Hi all !

As of today, I am running my services with rootless podman pods and containers. Each functional stack gets its dedicated user (user cloud runs a pod with nextcloud-fpm, nginx, postgresql…) with user mapping. Now, my thought were that if an attack can escape a container, it should be contained to a specific user.

Is it really meaningful ? With service users’ home setup in /var/lib, it makes a lot of small stuff annoying and I wonder if the current setup is really worth it ?

  • Justin@lemmy.jlh.nameEnglish
    1·
    1 day ago

    It’s not going to make a meaningful difference in your threat model and it will cause a lot of hassle for extra configuration and broken docker images, so I wouldn’t bother.

    There is some nice tooling for transparent user name spaces coming down the pipeline in Kubernetes which will be a nice 0-effort security upgrade, but if you don’t have the tooling, I would say it’s not worth it.

    https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/

    • mel ♀@jlai.luOPEnglish
      1·
      1 day ago

      I guess I will try with a k3s on my workstation, but for a single NAS, I am not sure any kubernetes distribution is useful for now :)

      • Justin@lemmy.jlh.nameEnglish
        1·
        13 hours ago

        Kubernetes is great for single nodes! It definitely is more advanced than docker compose, but it’s actually not hard at all if you read through the documentation. It definitely makes running containers easier in the long run.

        Here is my git repo for my big Kubernetes cluster at home: https://codeberg.org/jlh/h5b/src/branch/main/argo/custom_applications

        It started out as just a NFS server and a Kubernetes server running on Proxmox in 2021.