Hey everyone,
I'm working on my VPS and want to create a separate user for managing the CI/CD pipeline of my project. This includes rebuilding Docker images and restarting containers. However, I'm concerned about security and don't want to add this user to the sudo group or the docker group due to the risks involved. I've come across the option of using Docker Rootless. Am I on the right track with this approach?
2 Answers
If you really want to keep your user from having root access, then using Docker Rootless is definitely a step in the right direction. Just know that it relies on specific kernel features that not all distributions support out of the box, which can expose you to some risks if not managed carefully.
While Docker Rootless can help you avoid giving out root access, it’s not always smooth sailing. Many users find that running Docker in a rootless mode can lead to a lot of headaches in terms of maintenance. Also, just switching to rootless doesn’t automatically fix all security concerns. You might want to check out Podman as an alternative—it could serve your needs better without the hassle.
What do you think would be considered best practice in this scenario? It’s just a small web app for my portfolio, mainly static content and a mail server running via Docker.