Hi all !
As of today, I am running my services with rootless podman pods and containers. Each functional stack gets its dedicated user (user cloud runs a pod with nextcloud-fpm, nginx, postgresql…) with user mapping. Now, my thought were that if an attack can escape a container, it should be contained to a specific user.
Is it really meaningful ? With service users’ home setup in /var/lib, it makes a lot of small stuff annoying and I wonder if the current setup is really worth it ?
It’s not going to make a meaningful difference in your threat model and it will cause a lot of hassle for extra configuration and broken docker images, so I wouldn’t bother.
There is some nice tooling for transparent user name spaces coming down the pipeline in Kubernetes which will be a nice 0-effort security upgrade, but if you don’t have the tooling, I would say it’s not worth it.
https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
I guess I will try with a k3s on my workstation, but for a single NAS, I am not sure any kubernetes distribution is useful for now :)