Hacker News new | past | comments | ask | show | jobs | submit login

Another major use-case of rootless containers (though image building is not as useful in that case) is being able to run things unprivileged on computing clusters. I implemented rootless containers in runc and quite a few other tools (like umoci) in order to be able to handle cases where you don't get root on a box.

There is also the security benefit of there being no privileged codepath that can be exploited. So the only thing you need to worry about is kernel security (which, to be fair, has had issues in the past when it comes to user namespaces -- but you can restrict the damage with seccomp and similar tools).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: