Comment # 7 on bug 1186158 from 
The use case that I have and think others might as well is the following: I'd
like to run my containers with as little privileges as possible. This is for
security reasons. Therefore I run my containers as an ordinary user and not as
root. Podman has decent support for this. In order to support multiple
containers I'd like to use a proxy. My choice is traefik. Since I run my
containers as an unprivileged user I must run traefik as the same user, because
of namespaces. One feature of traefik is dynamic configuration of containers
and it needs access to /var/run/podman/podman.sock Now, security wise you
probabely don't want to give traefik direct access to that socket. You put
something inbetween that restricts traefik's access, i.e. read only to subset
of the API. However, this proxy would require the same level of access to the
socket.

In short: traefik could use the podman.sock to learn about running containers.
However, because container running as an unprivileged user rerequire traefik to
be run as the same unprivileged user it must be able to access podman.sock as
the unprivileged user.

One thing to note though is that if I would have another privileged user, that
user will not be able to access the namespaces of the other unprivileged user.
Just like root and non-root users cannot use each other namespaces,
unprivileged user cannot use them amongst themselve as well.

If you run containers as an unprivileged user, and you run as root: podman
container ls, you will see container created as root and not any containers
owned by other users.

You are receiving this mail because: