Which user to start containers as?

[mcdent]

Hey,
So far I've been running all my podman containers as a regular user, most things seem fine (apart from containers exiting but I think that may be to do with me not having that user set to 'linger')
Anyway, I have read that it's better to start the containers with sudo. I'd like to know if that is best practise or, is what I am doing if ok?
(I am using RHEL 9 with the build in podman)

Thanks!

[vrothberg]

Thanks for reaching out, @mcdent!

I recommend running rootless containers for security reasons. Can you share where you've read that running rootful containers (i.e., with sudo) is better?

Cc: @rhatdan

[mcdent]

Thanks @vrothberg for the life of me I cannot find it now! (I must have dreamt it)
If I do find it I will update here, but thanks, at least I am doing things the correct way.
I assumed podman was designed to be run without root anyway, so using sudo may be contra to its principles.

[afbjorklund]

There was a discussion that you might want to run it as root for performance reasons.

• Just curious: has anyone done a build performance comparison between podman and docker? #15819

[rhatdan]

I have an article that I have no published yet, on this subject.
Running a container without being real root is better. Rootless containers do this by default. The problem is if you run multiple rootless containers as a service, they will all run in the same user namespace. Running them with --userns=auto is much better, except in rootless containers this is difficult to setup.
I believe that running containers as root for this use case is often better if each container runs with a separate user namespace.

A big caviat on this, and why I have not published, is pulling an image as root is more dangerous then pulling a container image as rootless, in that podman is running as root and could write anywhere. I would love to see us use LandLock to better help us protect against the risk of root pulling an image.