Off-Topic > Off-Topic - Tiny Core Lounge
PodMan, the future for rootless containers
hiro:
i agree chroot doesnt add much separation, and i agree docker's security model is mostly non-existent, but i do not agree that podman's "rootless" "innovation" gets you where you want to be either.
the complexity they are adding to the kernel for podman's "security" framework is hard to manage, the kernel has not been built with this in mind, and the result is mostly hacks that nobody understands, what seems like a useful abstraction to the user is in fact a huge leaky mess and nobody should rely on it being safe.
it might seem that since podman consists of many layers, and many people wasted much time to build these, that you have done enough research to pick this software and to sleep in peace at night. but that is not the case.
qemu/kvm style virtualization might also not have been ever intended for security, and yet it's much closer to what you are expecting here.
if you *really* cared about security though, you'd separate your security domains into multiple dedicated machines and ignore all promises by container and virtualization people.
process virtualization is great if you don't want an application to crash your whole system (all other applications, your kernel, ...).
containerization is a hack around the fact that dynamic linking has failed everyone: poor glibc man's static linking.
gadget42:
@hiro, thanks for relating your thoughts! definitely along the same lines as a bit older post by you(mostly regarding bloat as opposed to security) https://forum.tinycorelinux.net/index.php/topic,27521.msg177417.html#msg177417
have you ever poked around EasyOS by Barry Kauler? i seem to recall he does something "container-wise" in it.
hiro:
haha, i forgot about that weird old ramble.
never heard of easyos.
btw my chroot of alpine on top of an ANCIENT tinycorelinux is still going strong. ;)
gadget42:
--- Quote from: hiro on September 30, 2025, 05:17:23 AM ---haha, i forgot about that weird old ramble.
...
--- End quote ---
tbqh, i enjoyed rereading that entire thread
nick65go:
Hi @hiro, thanks for your feed-back. I am still searching for an "ideal" separation, "Qubes OS" not tried yet :)
I may read docs for Linux short-comes versus Free BSD natural jail.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version