Podman: Daemonless to Rootless

Podman: Daemonless to Rootless

The development and deployment of applications has been transformed by containerization. A daemon process is used by the well-known containerization technology Docker to manage containers. This daemon is useful, but it poses a security risk because it operates with root capabilities.

This article examines Podman, a more secure container management solution that is a lightweight substitute for Containers.

By default, when you use docker, a daemon named root starts all of your containers. You can also run it without root privileges (https://docs.docker.com/engine/security/rootless/), but doing so would require having a different daemon for every user you wish to run containers as.
Podman is devoid of that. It may create containers as root or rootless, and it does it without the assistance of a controlling daemon.

Daemons are background programs that carry out the labor-intensive tasks of running containers without a user interface. Consider daemons as the go-betweens that facilitate communication between the user and the container.

Security Engineer's Nightmare 😖:-

Many daemons run with root privileges. The root account functions as a superuser in Linux systems, granting unrestricted access. Because of this, attackers looking to take over containers and gain access to the host system—possibly compromising the entire infrastructure—will find rogue daemons to be a prime target."

Rootless Podman

Podman removes the daemon "daemonless" and enables rootless containers, which let users run containers without having to deal with a root-owned daemon. Going rootless lowers security risks in your container system by enabling users to create, operate, and manage containers without requiring processes to have administrator capabilities. Podman launches each container with a security-enhanced Linux (SELinux) label.

But Containers can either be run by root or by a non-privileged user.

How Podman manages Containers?

Let's start by quoting the below from Podman Docs [https://docs.podman.io/en/latest/]

Containers under the control of Podman can either be run by root or by a non-privileged user. Podman manages the entire container ecosystem which includes pods, containers, container images, and container volumes using the libpod library. Podman specializes in all of the commands and functions that help you to maintain and modify OCI container images, such as pulling and tagging. It allows you to create, run, and maintain those containers and container images in a production environment.

Podman uses an OCI compliant Container Runtime (runc, etc) to communicate with the operating system and generate the running containers, just as other popular Container Engines (Docker, CRI-O, containerd). Because of this, the containers that are currently running that were made by Podman are almost identical to those made by any other popular container engine.

So Daemonless then what ?

Podman uses systemd, the Linux system and service manager, to communicate directly with the system. As a result, persistence and control are guaranteed even after a reboot, enabling Podman to administer containers as system services.

Podman is a reliable and safe way to manage your containerized apps since it does not require a privileged daemon and uses systemd for communication.

This is only the very beginning! We'll take a closer look at Podman's features and the realm of containers to learn more about them.