#rootless — Public Fediverse posts

In part 2 of my macOS security internals series, I demystify System Integrity Protection (SIP), breaking down how the kernel enforces Apple-signed entitlements over POSIX root privileges, the mechanics of rootless.conf, and why the hardware always has the final veto.

Includes a small C program to audit your own CSR bitfield configuration.

Read the full deep dive here:
https://bytearchitect.io/macos-security/Apple-defences-SIP-and-APFS-(cont'd)/

#macOS #infosec #cybersecurity #ReverseEngineering #XNU #AppleSecurity #Kernel #OSInternals #Rootless

" #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

https://garrido.io/notes/podman-rootless-containers-copy-fail/

" #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

https://garrido.io/notes/podman-rootless-containers-copy-fail/

" #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

https://garrido.io/notes/podman-rootless-containers-copy-fail/

" #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

https://garrido.io/notes/podman-rootless-containers-copy-fail/

" #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

https://garrido.io/notes/podman-rootless-containers-copy-fail/

Podman rootless containers and the Copy Fail exploit

https://garrido.io/notes/podman-rootless-containers-copy-fail/

#HackerNews #Podman #rootless #containers #Copy #Fail #exploit #cybersecurity #containerization #tech #news

Podman rootless containers and the Copy Fail exploit

https://garrido.io/notes/podman-rootless-containers-copy-fail/

#HackerNews #Podman #rootless #containers #Copy #Fail #exploit #cybersecurity #containerization #tech #news

Podman rootless containers and the Copy Fail exploit

https://garrido.io/notes/podman-rootless-containers-copy-fail/

#HackerNews #Podman #rootless #containers #Copy #Fail #exploit #cybersecurity #containerization #tech #news

Podman rootless containers and the Copy Fail exploit

https://garrido.io/notes/podman-rootless-containers-copy-fail/

#HackerNews #Podman #rootless #containers #Copy #Fail #exploit #cybersecurity #containerization #tech #news

Podman rootless containers and the Copy Fail exploit

https://garrido.io/notes/podman-rootless-containers-copy-fail/

#HackerNews #Podman #rootless #containers #Copy #Fail #exploit #cybersecurity #containerization #tech #news

I wondered about #rootless containers (#Podman / #Docker and found explanations how this uses user namespaces, but I was missing explanation of interactions with other namespaces (you need root to create namespaces, to do that rootless?).

I then found https://rootless.vagmi.ca implementing rootless containers from scratch and explains it very well. The user_namespaces manpage is also good to read and fills in some missing bits: https://man.archlinux.org/man/user_namespaces.7.en

TL;DR of what I learned in followup. 1/3

@jriou Indeed I migrated on a rainy weekend !

The main issued I got was: User Namespaces, Network and obviously DNS.
This blog help me understand the the difference with #docker behaviour by setting up some demo apps:
https://giacomo.coletto.io/blog/podman-quadlets/

To experiment the #rootless mode: I followed: https://www.redhat.com/en/blog/rootless-podman-user-namespace-modes

#podman

I'm still configuring my #alpinelinux + #cosmic desktop, and I realize I didn't want to install git in the main user-land on that computer, I'm being extra paranoid - and kind of petty. So I did whatever sane person would do:

- install #podman
- configure podman to be #rootless
- install #crun because rootless is not exactly what I really want
- install #toolbx
- install #git inside that isolated container
- profit

You might have noticed that I have spend some time in my Quadlets Repo, taking care of some Grafana stuff.

Took me a bit to understand it but I’m quite happy with the result.

Check it out if you’d like to deploy your Grafana instance with a few extras in your homelab!

https://codeberg.org/Spoljarevic/Quadlets/src/branch/master/rootless/containers/systemd/Monitoring%20-%20prometheus%20and%20grafana

#git #codeberg #monitoring #grafana #prometheus #NodeExporter #podmanexporter #tailscale #tailscaleexporter #podman #quadlet #quadlets #rootless

You might have noticed that I have spend some time in my Quadlets Repo, taking care of some Grafana stuff.

Took me a bit to understand it but I’m quite happy with the result.

Check it out if you’d like to deploy your Grafana instance with a few extras in your homelab!

https://codeberg.org/Spoljarevic/Quadlets/src/branch/master/rootless/containers/systemd/Monitoring%20-%20prometheus%20and%20grafana

#git #codeberg #monitoring #grafana #prometheus #NodeExporter #podmanexporter #tailscale #tailscaleexporter #podman #quadlet #quadlets #rootless

RE: https://social.wildeboer.net/@jwildeboer/115890302649611807

Thanks for that hint, @jwildeboer! Immich is up and running - import of my families libraries will take a while though… #Immich #Podman #rootless #SelfHosting

I'm still experimenting with #podman #rootless and can't find how to allow containers/pod to access #localhost

Context: one pod with 2 #containers, one needs access to localhost. Podman is 5.4 with pasta networking.
I tried adding "-T" or "host-gateway" options to pasta network on the pod but still no way.
Can't to find a single complete article on how to manage networking on pods, a lot of different information

Has anyone a solution to this problem? Is it simply possible?

#sysadmin #linux

Some years ago, I started using #Docker #rootless for my #selfhosting needs. I was quite happy with it, even if finding information about rootless mode has been quite difficult.
I mostly used #compose setups.

Some days ago, I looked at #podman to replace those setups with a more modern stack. Podman works well for single containers but not that much podman-compose: don't believe the articles telling you that it's automatic, it's not!

#containers #apps #linux #floss

Tried to decide if I should look into #pasta instead of #slirp4netns. Looked at their webpage and found a long list of features. Nice.

Looked for a man page for the pasta command, but it was nowhere to be found on the webpage. Instead I could watch a 10 minutes long video showing 3 terminal windows and a window with a scrolling text explaining what happens in the terminal windows.

That is a thanks, but no thanks from me.

#Linux #Networking #rootless #documentation

Hey #Linux people. I have a file /etc/subuid for #rootless #podman. This works well.
But now: How can I get access to a file generated by such a child namespace outside the container? File owner is now one of the subuids not me.

@Larvitz
I have almost the same set-up:
- without Selinux has I'm running on #arch but with #rootless containers.
For #traefik I activated #socket https://github.com/eriksjolund/podman-traefik-socket-activation/blob/main/examples/example1/traefik.container

The next step for me will be to use #podman's secrets. Thanks to your article I discovered their existence!

🚀Oh, the audacity! A #Rustacean attempts to reinvent the #ping wheel, only to discover that maybe, just maybe, hitting Google with "rootless ping" was too complex.🤔 But fret not, our hero has bravely deposited their groundbreaking discovery on #GitHub, saving us all from the dastardly clutches of... well, nothing. 🙄
https://bou.ke/blog/rust-ping/ #rootless #innovation #tech #humor #HackerNews #ngated

🚀Oh, the audacity! A #Rustacean attempts to reinvent the #ping wheel, only to discover that maybe, just maybe, hitting Google with "rootless ping" was too complex.🤔 But fret not, our hero has bravely deposited their groundbreaking discovery on #GitHub, saving us all from the dastardly clutches of... well, nothing. 🙄
https://bou.ke/blog/rust-ping/ #rootless #innovation #tech #humor #HackerNews #ngated

🚀Oh, the audacity! A #Rustacean attempts to reinvent the #ping wheel, only to discover that maybe, just maybe, hitting Google with "rootless ping" was too complex.🤔 But fret not, our hero has bravely deposited their groundbreaking discovery on #GitHub, saving us all from the dastardly clutches of... well, nothing. 🙄
https://bou.ke/blog/rust-ping/ #rootless #innovation #tech #humor #HackerNews #ngated

🚀Oh, the audacity! A #Rustacean attempts to reinvent the #ping wheel, only to discover that maybe, just maybe, hitting Google with "rootless ping" was too complex.🤔 But fret not, our hero has bravely deposited their groundbreaking discovery on #GitHub, saving us all from the dastardly clutches of... well, nothing. 🙄
https://bou.ke/blog/rust-ping/ #rootless #innovation #tech #humor #HackerNews #ngated

Rootless Pings in Rust

https://bou.ke/blog/rust-ping/

#HackerNews #Rootless #Pings #in #Rust #Rust #Programming #Network #Security #System #Design

This error on one of my VMs with docker in rootless led me down a rabbit hole [1]:
```
Error response from daemon: failed to create task for container: Unimplemented: failed to start shim: start failed: unsupported shim version (3): not implemented
```

I realized that updating a host with nested docker in rootless services can break them. The fix: Update your Ansible scripts!

[1]: https://du.nkel.dev/blog/2025-11-15_docker-rootless-ansible/

#ansible #docker #rootless #vm #automation

minix z100 + podman -
#podman #podman_compose #docker #container #n100 #minix #z100 #rootless #fedoraserver #server #searxng

https://log.wiuwiu.org/minix-z100-podman

After fixing a few bugs, the #rootless #kali #linux installation via #Termux and #Kex worked out pretty well. Not sure if i can fix the scaling a bit, but so far pretty useful. Thanks to #DavidBombal (not sure if he wants to be tagged) for his informative video.

Developers self hosting their Forgejo instances, or using another instance and need to setup an actions runner may find this new blog post useful :blobcatderpy:

We setup a forgejo runner with rootless podman in fedora!

https://blog.hachem.dev/setting-up-forgejo-runner-in-a-fedora-server-with-rootless-podman/

#Fedora42 #selfhosting #ForgejoActions #rootless #podman

Developers self hosting their Forgejo instances, or using another instance and need to setup an actions runner may find this new blog post useful :blobcatderpy:

We setup a forgejo runner with rootless podman in fedora!

https://blog.hachem.dev/setting-up-forgejo-runner-in-a-fedora-server-with-rootless-podman/

#Fedora42 #selfhosting #ForgejoActions #rootless #podman

Developers self hosting their Forgejo instances, or using another instance and need to setup an actions runner may find this new blog post useful :blobcatderpy:

We setup a forgejo runner with rootless podman in fedora!

https://blog.hachem.dev/setting-up-forgejo-runner-in-a-fedora-server-with-rootless-podman/

#Fedora42 #selfhosting #ForgejoActions #rootless #podman

Developers self hosting their Forgejo instances, or using another instance and need to setup an actions runner may find this new blog post useful :blobcatderpy:

We setup a forgejo runner with rootless podman in fedora!

https://blog.hachem.dev/setting-up-forgejo-runner-in-a-fedora-server-with-rootless-podman/

#Fedora42 #selfhosting #ForgejoActions #rootless #podman

Developers self hosting their Forgejo instances, or using another instance and need to setup an actions runner may find this new blog post useful :blobcatderpy:

We setup a forgejo runner with rootless podman in fedora!

https://blog.hachem.dev/setting-up-forgejo-runner-in-a-fedora-server-with-rootless-podman/

#Fedora42 #selfhosting #ForgejoActions #rootless #podman

I finally managed to make a #rootless #Podman #Quadlet for #Gitlab that is functional on local setups and includes #GitlabRunner to run #ContinuousIntegration / #CI on!

The Readme mentions all the needed steps to run it, avoiding all the gotchas that you might encounter.

Internally the Gitlab Runner can use #Docker containers from within Podman without any issues!

This makes it much easier for you to learn how to do CI yourself.

https://github.com/herzenschein/herz-quadlet/tree/main/gitlab

Архитектура Rootless Podman: Полное руководство по контейнерам

Контейнеры без root , где каждый процесс запускается от имени обычного пользователя . Как это работает? Как обычный пользователь может изолировать процессы, создавать сетевые пространства и управлять хранилищем без единой привилегии? Давайте разберемся, что скрывается за rootless Podman :)

https://habr.com/ru/articles/966384/

#podman #docker #security #linux #rootless #devsecops #devops #линукс #контейнеризация #containers

One does not simply use rootless … me with a rootless Podman walks into Mordor of CI and docker build anyway.

Just kidding! Rootless Podman containers, quadlets and systemd are truly amazing in 2025.

https://vyskocil.me/blog/ci-setup-which-never-worked/

#podman #forgejo #ci #hugo #admin #rootless #systemd

I really wish every #selfhost service would be made available as container without external dependencies by the projects themselves. Bonus points if the containers are #rootless for obvious security reasons. Many are. I can run my forgejo instance [1] that way, I run my Uptime Kuma instance [2] that way. I am looking at GotoSocial and Sharkey this weekend and will try to get them up and running the same way. @homelab

[1] https://forge.wildeboer.net
[2] https://up.wildeboer.net

@techviator
Those 2 articles help me a lot to move from #docker to #rootless #podman
- Controlling access to rootless Podman for users:
https://www.redhat.com/en/blog/controlling-access-rootless-podman-users
- Understanding rootless podman's user namespace modes: https://www.redhat.com/en/blog/rootless-podman-user-namespace-modes

/cc @Podman_io @rhatdan

Running AI/ML/LLM workloads in immutable Linux OpenSuSE Kalpa Desktop with AMD GPUs using AMD ROCm in rootless distrobox:
https://jornfranke.codeberg.page/technology-tutorials/immutable-linux-neural-pc/

#ai #ml #llm #immutablelinux #kalpadesktop #opensuse #rootless #distrobox #amd #rocm #ollama

Make your containers more secure! Learn how to migrate Rootful Docker setup to Rootless Docker in Debian and Ubuntu Linux step-by-step.

Read full guide here: https://ostechnix.com/rootless-docker-debian-ubuntu-linux/

#Docker #Rootless #Devops #Debian #Ubuntu #Virtualization #Security

So apparently you can run #proxmox in a #rootless #podman container. Seems worth fiddling with. Dont know if storage clusters etc will work. Network config requires a bit more work.

used #dockermox and just ran it the same in podman instead

https://github.com/rtedpro-cpu/dockermox

#linux #sysadmin #tech #fedora #virtualization #vm #containers #isthereanythingtheycantdo

I have just released a small #RustLang library for running commands as root as an unprivileged user - aka #rootless. 🦀

https://crates.io/crates/rootless-run/0.1.0

It has been created in the context of the #ALPM project to allow running commands using #fakeroot or #rootlesskit and paves the way for a simple Rust-based implementation.

In the future we plan to use it in the ALPM project to run commands that require root as unprivileged user.

#ArchLinux #container #packaging

Got analogic/poste.io #email container running #rootless on a #podman stack on a new #VPS...

Having bruises on my forehead trying to get it running (successfully) for like three days with #docker
Practice makes barely competent it looks like.

Success!

Will probably have to use my 'mail seeder script' over the next few days so big hosts accept the new domain as legit.
I got DKIM keys and SPF up already set up.

#Selfhosting

playing with #rootless #podman and found out if you have your containers in a separate network (I assume Pasta because podman 5.4.2), the access logs of an Nginx container will show as source IP the IP of the container, not the real client.
Does anyone know how to change this behavior? Running openSUSE Leap and Tumbleweed here (not that this should matter).

#Introduction #Him #1955 #Dysfunctional #Family #Formative #Books #SciFi #Heinlein #Lessing #Politics #Internationalist #European #Socialist #LSE #SocAnth #Weslyan #Rootless #Tramp #Traveller #Love #NotHate #Cook #Gardener #MetaPhysics #Jungian #Holistic #Android #SOSNHS #ToriesOut #AGC #Photography #Radio3 #Tag #MUWF "More undoubtedly will follow"

Anyone running #PaperlessNGX #rootless using #Podman and #PodmanCompose under #Debian12? The volumes I'm mapping to the host always get chowned to 100999:100999, and that's with USERMAP_UID=1000 and USERMAP_GID=1000 in docker-compose.env.

Playing around with PODMAN_USERNS mainly leads to the container not starting at all (in at least one case because it can't install packages).

#paperless_ngx

At least it works in podman-compose, so that’s a start. Our self-hosted agents don’t have it installed, but the pipeline user can #elevate #permissions with impunity, and with a bit of scripting achieve #rootless operation.

we're also implementing #lum.ai #odinson )#elasticsearch) to facilitate full-text searches into uploaded docs/pdfs, and developing #morphological #parsers to improve that search. Running #nginx in the containers, on #debian11, all #rootless. Hopefully days away from #deployment! 2/2