Title. Just curious since apparently cap_drop=all means that the container “can’t do a thing” (?). Root users are (also) included in this (?). That’d be great if someone could enlighten me on this topic.

Thanks in advance.

  • @[email protected]
    link
    fedilink
    121 year ago

    Security is all about layers. I’m not familiar with the exact process difference, but even without capabilities, its still running as the root user. I believe, I haven’t investigated rootless docker that much.

    Podman, for example, can run entirely rootless and daemonless. So it offers one more layer that if something breaks out of its namespace, the user the service is running as can be something without useful permissions adding an extra layer to be able to cause harm.

    Nothing is perfect, but having one more layer approach can be useful, depending in what your threat model is.