6 Rootless containers
This chapter covers
- Why rootless mode is more secure
- How Podman works with the user and mount namespace
- The architecture of Podman running in rootless mode
I take a deep dive into what is going on when running Podman in a rootless mode. I believe it is helpful to understand what is happening when you run rootless containers and learn about the issues that running in rootless mode can cause.
With the introduction of containerized applications over the last few years, certain highly secure environments were not able to take advantage of the new technology.
High performance computing (HPC) systems run the fastest computers in the world. These tend to be national labs and universities and deal with high security information. They handle some of the most secure data in the world and expressly forbid the use of rootful containers. HPC systems deal with huge data sets, like artificial intelligence, nuclear weapons, global weather patterns, medical research, etc. These systems tend to have thousands of shared computers. These systems need to be locked down, because of their multi-user shared environments. HPC computing believes that root running daemons are too insecure. If a rogue container process breaks out of confinement and gains root access, it can access highly sensitive data. Administrators of HPC environments couldn’t use open container initiative (OCI) containers until Podman came along. The HPC community is now working to move to rootless Podman.