Hi all !

As of today, I am running my services with rootless podman pods and containers. Each functional stack gets its dedicated user (user cloud runs a pod with nextcloud-fpm, nginx, postgresql…) with user mapping. Now, my thought were that if an attack can escape a container, it should be contained to a specific user.

Is it really meaningful ? With service users’ home setup in /var/lib, it makes a lot of small stuff annoying and I wonder if the current setup is really worth it ?

  • mel ♀@jlai.luOPEnglish
    1·
    23 hours ago

    I guess I will try with a k3s on my workstation, but for a single NAS, I am not sure any kubernetes distribution is useful for now :)

    • Justin@lemmy.jlh.nameEnglish
      1·
      5 hours ago

      Kubernetes is great for single nodes! It definitely is more advanced than docker compose, but it’s actually not hard at all if you read through the documentation. It definitely makes running containers easier in the long run.

      Here is my git repo for my big Kubernetes cluster at home: https://codeberg.org/jlh/h5b/src/branch/main/argo/custom_applications

      It started out as just a NFS server and a Kubernetes server running on Proxmox in 2021.