docker

podman rootless (and docker rootless) - bits and bobs

backstory Recently I helped someone out online (by providing a tiny pointer) with rootless containers and I realized that I might have some useful pointers (bits and bobs). These are somewhat related to my previous blogpost about JFrog - Xray and Insight. In the last couple of years, I have had experience with running OCI (Open Container Initiative) compliant rootless containers with podman rootless and sometimes with docker rootless. Most docker-compose files and how to’s online focus on the root full variants, which you definately do not want.

JFrog - Xray and Insight - rootless

JFrog is probably mostly known, because of their software product: Artifactory (artifact management software). But they also provide other pieces of software which integrate with Artifactory. For example they have XRay (security essentials) and Insight (DevOps intelligence tool). Recently I was able to play around with both XRay and Insight (together with a good friend) to get those Java tools to run on a hardened Linux server, as a proof of concept.

podman unshare - docker rootless - nsenter

Ever since I switched to podman, I really appreciated the rootless setup. Something about increased security. Recently I had to help someone out with docker rootless and I was really missing podman unshare. Which basically is the unshare subcommand. Luckily something similar exists, which can be used for docker rootless, namely nsenter. To execute a command in the namespace of the docker rootless daemon, you can use this: nsenter -U --preserve-credentials -n -t $(pgrep dockerd) somecommand

Docker rootless - one masquerading bug to rule them all

Preferbly I use podman, but sometimes you are forced to use docker. Ideally you then switch to docker rootless, because of, well, security. I noticed that the docker rootless installation instructions are not ideal (e.g. contain a bug). Took me a while to figure it out though, but wanted to share. Especially since this might mean, more people (who explicitly want or need to run docker) can run docker safer (rootless).