Hey everyone! I'm setting up a CI/CD pipeline for my project on my VPS and I want to use a separate user for managing it. My goal involves rebuilding Docker images and restarting containers, but I'm concerned about security. I don't want to add this user to the sudo or docker groups due to the risks involved. I've come across Docker Rootless as a potential solution. Is this the best way to go? Am I thinking about this correctly?
2 Answers
Honestly, Docker Rootless can be a pain to maintain long-term. It won’t magically fix all your security issues, so keep that in mind. Have you considered using Podman instead? A lot of folks find it easier for rootless container management.
Using rootless is definitely a good option if you want to limit root access. But remember, it relies on a kernel feature that permits unprivileged users to create a user namespace, which can be a bit risky since it has known vulnerabilities. You might want to check if your distro has this feature enabled by default.
What do you recommend as best practices then? It feels like every option has its own risks.