One of the benefits of podman is supposed to be that you don't have to run containers as root. However, the section on enabling this has a cryptic warning about the security implications of unprivileged user namespaces. It has a link that claims to have details, but the link goes to https://wiki.archlinux.org/title/Security#Sandboxing_applications which is another pair of cryptic warnings, with yet another link "for details". But that final link is a bug report with a long discussion going back to 2013.

What exactly is the point here? Are rootless containers not more secure than root containers? Or are they more secure, but create other security holes that root containers don't have? What exactly are these security holes? It would be nice to have a brief summary of how it relates to the context of this article. Ujones (talk) 01:38, 14 October 2021 (UTC)

I was about to as the same question, but seems that no one knows about it or done anything about it the last 2 years.

It would be nice with some clarification on this Dvaerum (talk) 23:22, 23 December 2023 (UTC)

My guess is that everyone in the container world moves fast and mixes concepts.

Rootless podman is about root starting a namespace with Users detached from the host, the subid/subgid concept... it have nothing to do with the dangers here.

Then, on top of that, you can also allow the kernel to let non-root users to do the same! by setting `kernel.unprivileged_userns_clone` to 1.

So you have root-less podman, which is a security enhacement. And then you have root-less-for-non-root-users podman, which is a convenience for developers starting containers left and right, which lowers security.

Gcb (talk) 02:56, 12 August 2024 (UTC)

"Rootless podman is about root starting a namespace with Users detached from the host" – no, this is a wrong terminology. Rootless is about who starts the container, in this case non-root users.

Root can start either privileged containers or unprivileged containers that use user-namespace isolation, assuming that the CONFIG_USER_NS kernel config is enabled. Note that in this case subuid/subgid mappings need to be configured too, but for the containers user – see Podman#User namespace mode.

Non-root users can start only unprivileged containers (if the CONFIG_USER_NS_UNPRIVILEGED/kernel.unprivileged_userns_clone kernel config is enabled). Once you are inside an unprivileged container, there is the same risk of container escape and privilege escalation to root outside the container. But there is a difference in who started the container: if it was root, the possibility for an attacker to exploit this is much smaller compared to the attack surface for local privilege escalation via rootless containers, i.e. containers started by non-root users.

— Lahwaacz (talk) 10:44, 12 August 2024 (UTC)

> if it was root, the possibility for an attacker to exploit this is much smaller compared to the attack surface for local privilege escalation via rootless containers, i.e. containers started by non-root users.

this is the part that confuses everyone :) Gcb (talk) 22:06, 13 July 2025 (UTC)

The Security#Sandboxing_applications section was recently edited to remove the userns warning. Maybe this page should be updated too? Marmis (talk) 19:31, 11 April 2026 (UTC)

That change was just reverted. — Lahwaacz (talk) 19:08, 26 April 2026 (UTC)

The rootless dependency

- fuse-overlayfs

isn't needed.

It's obsolete if you use btrfs and use it in the config file.

The second one isn't needed if you use netavark with podman >= 4.0. The linked upstream docs are outdated as well.

{{MartinX3 (talk) 19:09, 22 October 2022 (UTC)|17:09, 20 October 2022|MartinX3}}

Somewhat related: passt was added as an optional dependency with the description "for alternative rootless network support". I have no idea how it works, but maybe it should be explained here?

Iizuki (talk) 10:23, 19 May 2023 (UTC)

I stumbled upon this when I saw

Failed to add pause process to systemd sandbox cgroup: write unix @: sendmsg: broken pipe

in my logs. Unfortunately, the suggested fix does not help and returns

bash: echo: write error: Invalid argument

This seems to be due to systemd being the cgroup governor. Therefore, one cannot simply edit /sys/fs/cgroup/cgroup.subtree_control. Still, I tried to find the correct systemd-way of adding the controllers to the cgroups but I wasn't able to find a definitive answer. Anyway, I guess the suggested fix should be updated, I just don't know how.

Amo (talk) 16:56, 7 April 2023 (UTC)

The section about docker compose mentions podman-dnsname. It seems upstream has moved on to aardvark-dns. --Emersion (talk) 18:49, 19 January 2024 (UTC)

The section about docker-compose assumes the user runs docker-compose directly. This requires manually setting DOCKER_HOST in the environment.

A simpler approach is to run the podman compose wrapper which does this automatically. Emersion (talk) 13:04, 20 January 2024 (UTC)

Where is the discussion mentioned on Podman#IP networking ?

A fresh arch install as of today, with nothing but podman and nft will still cause connection issues. I.e. everything will be dropped by the default chain:

 chain forward { # handle 2
 type filter hook forward priority 0; policy drop;
 }

Gcb (talk) 02:53, 13 August 2024 (UTC)

The accuracy template does not refer to an existing discussion, but to this talk page where people could start the discussion.

The accuracy template is not about nftables, though. What if you install iptables-nft? If you did not install it explicitly, installing podman pulled in iptables as a dependency.

— Lahwaacz (talk) 19:46, 13 August 2024 (UTC)

Thanks. i think your comment led me to debug it and I never updated. So, installing podman does brings iptables-nft as it requires iptables, so it was not the solution. I end up manually creating a forward chain for podman at the time. Gcb (talk) 22:14, 13 July 2025 (UTC)

When you install podman on a clean system, the system asks to choose between crun and runc. Shouldn't we mention this in text right in the installation section, so that user does not need to go googling? Barafu Albino Cheetah (talk) 09:01, 21 December 2025 (UTC)

Well there is Podman#Runtimes but if the user did not read it (yet), sticking to the default works fine. — Lahwaacz (talk) 15:13, 21 December 2025 (UTC)