Podman or rootless docker? - eviltoast

I’m moving to a new machine soon and want to re-evaluate some security practices while I’m doing it. My current server is debian with all apps containerized in docker with root. I’d like to harden some stuff, especially vaultwarden but I’m concerned about transitioning to podman while using complex docker setups like nextcloud-aio. Do you have experience hardening your containers by switching? Is it worth it? How long is a piece of string?

  • brewery@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 month ago

    pastebin.com/DiHX2vg2

    Hopefully this works and you can see the compose file. I’ve put a few things in [square brackets] to hide some stuff, probably overly cautiously. I have an external network linked to NPM and in that, I use nextcloud-server for IP address and 80 for the port (it’s the inside container port, not 8080 on the system - that took me a long time to figure out!). Add a .env file with everything referenced in the compose file, then (hopefully!) Away you go

    • bigdickdonkey@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      Thanks for sharing this! It also took me a while to understand the difference between the Expose dockerfile command and the --publish cli command