This chapter covers
- Securing running applications on different standalone servers, inside different VMs and containers
- Running a container via a service versus as a child of the container engine via fork and exec
- Linux security features used to keep containers isolated from each other
- Setting up container image trust
- Signing images and trusting them
In this chapter, I review and demonstrate some additional security considerations when using Podman to run containers. Some of the content was covered in other chapters, but I think it is useful to concentrate on these features from a security perspective.
One of the most frequent problems I see with people running containers is that when the container process is denied some access, the user’s first reaction is to run the container in --privileged mode, which turns off all security separation for your container. Understanding how to deal with the security features discussed in this chapter helps you avoid this.