https://bugzilla.suse.com/show_bug.cgi?id=1186158 https://bugzilla.suse.com/show_bug.cgi?id=1186158#c7 --- Comment #7 from G.M. Venekamp <gm.venekamp@quicknet.nl> --- The use case that I have and think others might as well is the following: I'd like to run my containers with as little privileges as possible. This is for security reasons. Therefore I run my containers as an ordinary user and not as root. Podman has decent support for this. In order to support multiple containers I'd like to use a proxy. My choice is traefik. Since I run my containers as an unprivileged user I must run traefik as the same user, because of namespaces. One feature of traefik is dynamic configuration of containers and it needs access to /var/run/podman/podman.sock Now, security wise you probabely don't want to give traefik direct access to that socket. You put something inbetween that restricts traefik's access, i.e. read only to subset of the API. However, this proxy would require the same level of access to the socket. In short: traefik could use the podman.sock to learn about running containers. However, because container running as an unprivileged user rerequire traefik to be run as the same unprivileged user it must be able to access podman.sock as the unprivileged user. One thing to note though is that if I would have another privileged user, that user will not be able to access the namespaces of the other unprivileged user. Just like root and non-root users cannot use each other namespaces, unprivileged user cannot use them amongst themselve as well. If you run containers as an unprivileged user, and you run as root: podman container ls, you will see container created as root and not any containers owned by other users. -- You are receiving this mail because: You are the assignee for the bug.