I've recently been reading a lot of articles on various container runtimes and sandboxing techniques. It seems that rootless mode is a good start, but it's implemented differently by different tools which have security tradeoffs. Then there is also the different options for sandboxing that various applications provide: gvisor, apptainer, selinux, etc.
It would be helpful to have an article that makes a recommendation for the most secure way of implementing rootless mode along with the better sandboxing options.
Essentially, an article that would help the interested-in-containers-but-dont-want-to-become-a-conatiner-expert system administrator make good choices on the best tools to implement containers.
For example, is rootless Podman + the default selinux policies sufficient for a multi-user system running potentially untrusted containers and workloads? Or is additional sandboxing with Apptainer and/or gvisor recommended?
I realize that recommendation is going to vary based on use case but a summary of the currently recommended best practices for "good security" plus options & tradeoffs for additional security would be helpful in IMO.
Thanks for your work on these docs and consideration of this issue.
I've recently been reading a lot of articles on various container runtimes and sandboxing techniques. It seems that rootless mode is a good start, but it's implemented differently by different tools which have security tradeoffs. Then there is also the different options for sandboxing that various applications provide: gvisor, apptainer, selinux, etc.
It would be helpful to have an article that makes a recommendation for the most secure way of implementing rootless mode along with the better sandboxing options.
Essentially, an article that would help the interested-in-containers-but-dont-want-to-become-a-conatiner-expert system administrator make good choices on the best tools to implement containers.
For example, is rootless Podman + the default selinux policies sufficient for a multi-user system running potentially untrusted containers and workloads? Or is additional sandboxing with Apptainer and/or gvisor recommended?
I realize that recommendation is going to vary based on use case but a summary of the currently recommended best practices for "good security" plus options & tradeoffs for additional security would be helpful in IMO.
Thanks for your work on these docs and consideration of this issue.