<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title>Rootless - vo.rs</title><link>https://vo.rs/tags/rootless/</link><description>Latest from the Rootless desk at vo.rs.</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.</copyright><lastBuildDate>Wed, 05 Nov 2025 12:46:00 +0000</lastBuildDate><atom:link href="https://vo.rs/tags/rootless/" rel="self" type="application/rss+xml"/><item><title>Rootless Containers: Least Privilege for the Paranoid</title><link>https://vo.rs/story/rootless-containers-least-privilege-for-the-paranoid/</link><description>&lt;p&gt;There is a sentence that ought to be printed on the box every container runtime ships in: &lt;strong&gt;root inside the container is root on the host&lt;/strong&gt;. Not metaphorically. Not &amp;ldquo;sort of&amp;rdquo;. By default, UID 0 in the container is UID 0 on the machine, and the only thing standing between those two facts is a set of kernel namespaces that a good enough bug will walk straight through.&lt;/p&gt;
&lt;p&gt;I run a small homelab — a mix of services on a couple of boxes behind a reverse proxy — and for years I treated containers as a security boundary. They are a boundary, but a leaky one, and the leak all points the same way: outwards, onto my host, as root. Once I internalised that, my whole approach changed. I stopped asking &amp;ldquo;is this container safe?&amp;rdquo; and started asking &amp;ldquo;when this container gets popped, how boring can I make the aftermath?&amp;rdquo; That question has a name. It is least privilege, and this post is how I apply it to containers I actually run.&lt;/p&gt;</description><pubDate>Wed, 05 Nov 2025 12:46:00 +0000</pubDate></item><item><title>Podman for People Who Distrust the Docker Daemon</title><link>https://vo.rs/story/podman-for-people-who-distrust-the-docker-daemon/</link><description>&lt;p&gt;I ran Docker happily for years, and then one afternoon I actually read what my
&lt;code&gt;docker&lt;/code&gt; group membership meant and felt slightly sick. I had added my everyday
user to that group ages ago because typing &lt;code&gt;sudo&lt;/code&gt; in front of every command is
tedious, the way everyone does, the way every tutorial tells you to. What nobody
mentions in the same breath is that this is functionally the same as handing that
user a password-free root shell. Podman is the container engine I moved to when
that stopped sitting right with me, and I have not wanted to go back.&lt;/p&gt;</description><pubDate>Tue, 07 Oct 2025 10:32:00 +0000</pubDate></item></channel></rss>