home.social

#rootless — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #rootless, aggregated by home.social.

  1. In part 2 of my macOS security internals series, I demystify System Integrity Protection (SIP), breaking down how the kernel enforces Apple-signed entitlements over POSIX root privileges, the mechanics of rootless.conf, and why the hardware always has the final veto.

    Includes a small C program to audit your own CSR bitfield configuration.

    Read the full deep dive here:
    bytearchitect.io/macos-securit

    #macOS #infosec #cybersecurity #ReverseEngineering #XNU #AppleSecurity #Kernel #OSInternals #Rootless

  2. " #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

    garrido.io/notes/podman-rootle

  3. " #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

    garrido.io/notes/podman-rootle

  4. " #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

    garrido.io/notes/podman-rootle

  5. " #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

    garrido.io/notes/podman-rootle

  6. " #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

    garrido.io/notes/podman-rootle

  7. I wondered about containers ( / and found explanations how this uses user namespaces, but I was missing explanation of interactions with other namespaces (you need root to create namespaces, to do that rootless?).

    I then found rootless.vagmi.ca implementing rootless containers from scratch and explains it very well. The user_namespaces manpage is also good to read and fills in some missing bits: man.archlinux.org/man/user_nam

    TL;DR of what I learned in followup. 1/3

  8. @jriou Indeed I migrated on a rainy weekend !

    The main issued I got was: User Namespaces, Network and obviously DNS.
    This blog help me understand the the difference with #docker behaviour by setting up some demo apps:
    giacomo.coletto.io/blog/podman

    To experiment the #rootless mode: I followed: redhat.com/en/blog/rootless-po

    #podman

  9. I'm still configuring my #alpinelinux + #cosmic desktop, and I realize I didn't want to install git in the main user-land on that computer, I'm being extra paranoid - and kind of petty. So I did whatever sane person would do:

    - install #podman
    - configure podman to be #rootless
    - install #crun because rootless is not exactly what I really want
    - install #toolbx
    - install #git inside that isolated container
    - profit

  10. You might have noticed that I have spend some time in my Quadlets Repo, taking care of some Grafana stuff.

    Took me a bit to understand it but I’m quite happy with the result.

    Check it out if you’d like to deploy your Grafana instance with a few extras in your homelab!

    codeberg.org/Spoljarevic/Quadl

    #git #codeberg #monitoring #grafana #prometheus #NodeExporter #podmanexporter #tailscale #tailscaleexporter #podman #quadlet #quadlets #rootless

  11. You might have noticed that I have spend some time in my Quadlets Repo, taking care of some Grafana stuff.

    Took me a bit to understand it but I’m quite happy with the result.

    Check it out if you’d like to deploy your Grafana instance with a few extras in your homelab!

    codeberg.org/Spoljarevic/Quadl

  12. I'm still experimenting with #podman #rootless and can't find how to allow containers/pod to access #localhost

    Context: one pod with 2 #containers, one needs access to localhost. Podman is 5.4 with pasta networking.
    I tried adding "-T" or "host-gateway" options to pasta network on the pod but still no way.
    Can't to find a single complete article on how to manage networking on pods, a lot of different information

    Has anyone a solution to this problem? Is it simply possible?

    #sysadmin #linux

  13. Some years ago, I started using #Docker #rootless for my #selfhosting needs. I was quite happy with it, even if finding information about rootless mode has been quite difficult.
    I mostly used #compose setups.

    Some days ago, I looked at #podman to replace those setups with a more modern stack. Podman works well for single containers but not that much podman-compose: don't believe the articles telling you that it's automatic, it's not!

    #containers #apps #linux #floss

  14. Tried to decide if I should look into instead of . Looked at their webpage and found a long list of features. Nice.

    Looked for a man page for the pasta command, but it was nowhere to be found on the webpage. Instead I could watch a 10 minutes long video showing 3 terminal windows and a window with a scrolling text explaining what happens in the terminal windows.

    That is a thanks, but no thanks from me.

  15. Hey #Linux people. I have a file /etc/subuid for #rootless #podman. This works well.
    But now: How can I get access to a file generated by such a child namespace outside the container? File owner is now one of the subuids not me.

  16. @Larvitz
    I have almost the same set-up:
    - without Selinux has I'm running on #arch but with #rootless containers.
    For #traefik I activated #socket github.com/eriksjolund/podman-

    The next step for me will be to use #podman's secrets. Thanks to your article I discovered their existence!

  17. 🚀Oh, the audacity! A #Rustacean attempts to reinvent the #ping wheel, only to discover that maybe, just maybe, hitting Google with "rootless ping" was too complex.🤔 But fret not, our hero has bravely deposited their groundbreaking discovery on #GitHub, saving us all from the dastardly clutches of... well, nothing. 🙄
    bou.ke/blog/rust-ping/ #rootless #innovation #tech #humor #HackerNews #ngated

  18. 🚀Oh, the audacity! A #Rustacean attempts to reinvent the #ping wheel, only to discover that maybe, just maybe, hitting Google with "rootless ping" was too complex.🤔 But fret not, our hero has bravely deposited their groundbreaking discovery on #GitHub, saving us all from the dastardly clutches of... well, nothing. 🙄
    bou.ke/blog/rust-ping/ #rootless #innovation #tech #humor #HackerNews #ngated

  19. 🚀Oh, the audacity! A #Rustacean attempts to reinvent the #ping wheel, only to discover that maybe, just maybe, hitting Google with "rootless ping" was too complex.🤔 But fret not, our hero has bravely deposited their groundbreaking discovery on #GitHub, saving us all from the dastardly clutches of... well, nothing. 🙄
    bou.ke/blog/rust-ping/ #rootless #innovation #tech #humor #HackerNews #ngated

  20. 🚀Oh, the audacity! A #Rustacean attempts to reinvent the #ping wheel, only to discover that maybe, just maybe, hitting Google with "rootless ping" was too complex.🤔 But fret not, our hero has bravely deposited their groundbreaking discovery on #GitHub, saving us all from the dastardly clutches of... well, nothing. 🙄
    bou.ke/blog/rust-ping/ #rootless #innovation #tech #humor #HackerNews #ngated

  21. This error on one of my VMs with docker in rootless led me down a rabbit hole [1]:
    ```
    Error response from daemon: failed to create task for container: Unimplemented: failed to start shim: start failed: unsupported shim version (3): not implemented
    ```

    I realized that updating a host with nested docker in rootless services can break them. The fix: Update your Ansible scripts!

    [1]: du.nkel.dev/blog/2025-11-15_do

    #ansible #docker #rootless #vm #automation

  22. Архитектура Rootless Podman: Полное руководство по контейнерам

    Контейнеры без root , где каждый процесс запускается от имени обычного пользователя . Как это работает? Как обычный пользователь может изолировать процессы, создавать сетевые пространства и управлять хранилищем без единой привилегии? Давайте разберемся, что скрывается за rootless Podman :)

    habr.com/ru/articles/966384/

    #podman #docker #security #linux #rootless #devsecops #devops #линукс #контейнеризация #containers

  23. One does not simply use rootless … me with a rootless Podman walks into Mordor of CI and docker build anyway.

    Just kidding! Rootless Podman containers, quadlets and systemd are truly amazing in 2025.

    vyskocil.me/blog/ci-setup-whic

    #podman #forgejo #ci #hugo #admin #rootless #systemd

  24. Developers self hosting their Forgejo instances, or using another instance and need to setup an actions runner may find this new blog post useful :blobcatderpy:

    We setup a forgejo runner with rootless podman in fedora!

    blog.hachem.dev/setting-up-for

    #Fedora42 #selfhosting #ForgejoActions #rootless #podman

  25. Developers self hosting their Forgejo instances, or using another instance and need to setup an actions runner may find this new blog post useful :blobcatderpy:

    We setup a forgejo runner with rootless podman in fedora!

    blog.hachem.dev/setting-up-for

    #Fedora42 #selfhosting #ForgejoActions #rootless #podman

  26. Developers self hosting their Forgejo instances, or using another instance and need to setup an actions runner may find this new blog post useful :blobcatderpy:

    We setup a forgejo runner with rootless podman in fedora!

    blog.hachem.dev/setting-up-for

    #Fedora42 #selfhosting #ForgejoActions #rootless #podman

  27. Developers self hosting their Forgejo instances, or using another instance and need to setup an actions runner may find this new blog post useful :blobcatderpy:

    We setup a forgejo runner with rootless podman in fedora!

    blog.hachem.dev/setting-up-for

    #Fedora42 #selfhosting #ForgejoActions #rootless #podman

  28. Developers self hosting their Forgejo instances, or using another instance and need to setup an actions runner may find this new blog post useful :blobcatderpy:

    We setup a forgejo runner with rootless podman in fedora!

    blog.hachem.dev/setting-up-for

    #Fedora42 #selfhosting #ForgejoActions #rootless #podman

  29. I really wish every #selfhost service would be made available as container without external dependencies by the projects themselves. Bonus points if the containers are #rootless for obvious security reasons. Many are. I can run my forgejo instance [1] that way, I run my Uptime Kuma instance [2] that way. I am looking at GotoSocial and Sharkey this weekend and will try to get them up and running the same way. @homelab

    [1] forge.wildeboer.net
    [2] up.wildeboer.net

  30. Make your containers more secure! Learn how to migrate Rootful Docker setup to Rootless Docker in Debian and Ubuntu Linux step-by-step.

    Read full guide here: ostechnix.com/rootless-docker-

    #Docker #Rootless #Devops #Debian #Ubuntu #Virtualization #Security

  31. So apparently you can run in a container. Seems worth fiddling with. Dont know if storage clusters etc will work. Network config requires a bit more work.

    used and just ran it the same in podman instead

    github.com/rtedpro-cpu/dockerm

  32. So apparently you can run #proxmox in a #rootless #podman container. Seems worth fiddling with. Dont know if storage clusters etc will work. Network config requires a bit more work.

    used #dockermox and just ran it the same in podman instead

    github.com/rtedpro-cpu/dockerm

    #linux #sysadmin #tech #fedora #virtualization #vm #containers #isthereanythingtheycantdo

  33. So apparently you can run #proxmox in a #rootless #podman container. Seems worth fiddling with. Dont know if storage clusters etc will work. Network config requires a bit more work.

    used #dockermox and just ran it the same in podman instead

    github.com/rtedpro-cpu/dockerm

    #linux #sysadmin #tech #fedora #virtualization #vm #containers #isthereanythingtheycantdo

  34. So apparently you can run #proxmox in a #rootless #podman container. Seems worth fiddling with. Dont know if storage clusters etc will work. Network config requires a bit more work.

    used #dockermox and just ran it the same in podman instead

    github.com/rtedpro-cpu/dockerm

    #linux #sysadmin #tech #fedora #virtualization #vm #containers #isthereanythingtheycantdo

  35. So apparently you can run #proxmox in a #rootless #podman container. Seems worth fiddling with. Dont know if storage clusters etc will work. Network config requires a bit more work.

    used #dockermox and just ran it the same in podman instead

    github.com/rtedpro-cpu/dockerm

    #linux #sysadmin #tech #fedora #virtualization #vm #containers #isthereanythingtheycantdo

  36. I have just released a small #RustLang library for running commands as root as an unprivileged user - aka #rootless. 🦀

    crates.io/crates/rootless-run/

    It has been created in the context of the #ALPM project to allow running commands using #fakeroot or #rootlesskit and paves the way for a simple Rust-based implementation.

    In the future we plan to use it in the ALPM project to run commands that require root as unprivileged user.

    #ArchLinux #container #packaging

  37. I have just released a small #RustLang library for running commands as root as an unprivileged user - aka #rootless. 🦀

    crates.io/crates/rootless-run/

    It has been created in the context of the #ALPM project to allow running commands using #fakeroot or #rootlesskit and paves the way for a simple Rust-based implementation.

    In the future we plan to use it in the ALPM project to run commands that require root as unprivileged user.

    #ArchLinux #container #packaging