What is wrong with rootless?
One of the benefits of podman is supposed to be that you don't have to run containers as root. However, the section on enabling this has a cryptic warning about the security implications of unprivileged user namespaces. It has a link that claims to have details, but the link goes to https://wiki.archlinux.org/title/Security#Sandboxing_applications which is another pair of cryptic warnings, with yet another link "for details". But that final link is a bug report with a long discussion going back to 2013.
What exactly is the point here? Are rootless containers not more secure than root containers? Or are they more secure, but create other security holes that root containers don't have? What exactly are these security holes? It would be nice to have a brief summary of how it relates to the context of this article. Ujones (talk) 01:38, 14 October 2021 (UTC)
Additional dependencies needs an update
The rootless dependency
It's obsolete if you use btrfs and use it in the config file.
The second one isn't needed if you use netavark with podman >= 4.0. The linked upstream docs are outdated as well.
- Somewhat related: passt was added as an optional dependency with the description "for alternative rootless network support". I have no idea how it works, but maybe it should be explained here?
- Iizuki (talk) 10:23, 19 May 2023 (UTC)
Troubleshoot: Add pause to process
I stumbled upon this when I saw
Failed to add pause process to systemd sandbox cgroup: write unix @: sendmsg: broken pipe
in my logs. Unfortunately, the suggested fix does not help and returns
bash: echo: write error: Invalid argument
This seems to be due to systemd being the cgroup governor. Therefore, one cannot simply edit /sys/fs/cgroup/cgroup.subtree_control. Still, I tried to find the correct systemd-way of adding the controllers to the cgroups but I wasn't able to find a definitive answer. Anyway, I guess the suggested fix should be updated, I just don't know how.