Podman: Security Best Practices

Introduction to Podman Security#

Security matters. No one wants to be the reason their company’s data ends up on a dark web auction. Containers, despite their lightweight and efficient nature, are not immune to security risks. Fortunately, Podman takes security seriously, offering rootless operation, robust namespace isolation, and seamless integration with security policies.

Why Podman is More Secure than Docker#

• Rootless containers: Unlike Docker, Podman doesn’t require root privileges to run containers, reducing the risk of catastrophic mistakes.
• No daemon dependency: Since there’s no always-running daemon, there’s no single point of failure (or attack).
• Stronger security integration: Podman works well with SELinux, AppArmor, and other security frameworks that help contain the damage if something goes wrong.

Container Security Basics#

Before diving into Podman’s security features, let’s understand some core concepts.

Understanding Container Isolation#

Containers are not virtual machines. Instead of full isolation, they rely on namespaces and cgroups to keep workloads separated. Think of it as cubicles in an office—people can still yell over the dividers if they try hard enough.

Namespaces and cgroups in Podman#

• Namespaces: Provide isolated environments for process trees, network stacks, and file systems.
• cgroups (Control Groups): Limit resources (CPU, memory, I/O) so that one rogue container doesn’t turn your machine into a jet engine.

SELinux and AppArmor Integration#

Podman integrates with security frameworks like SELinux (on Fedora, RHEL) and AppArmor (on Ubuntu) to restrict what containers can access.

Running Containers as Non-Root Users#

Running everything as root is a great way to invite disaster. Instead, Podman allows you to run containers with limited privileges:

podman unshare  # Enter a rootless environment
podman run --user 1001 mysecureimage  # Run as a non-root user

Security Policies and Best Practices#

A few simple tweaks can make your containers significantly more secure.

Limiting Container Privileges#

By default, containers have more privileges than they should. Reduce their capabilities:

podman run --cap-drop=ALL --cap-add=NET_BIND_SERVICE mysecureimage

Using Read-Only Containers#

Lock down your container’s filesystem to prevent unwanted modifications:

podman run --read-only mysecureimage

Avoiding Privilege Escalation#

Stop containers from gaining additional privileges:

podman run --security-opt=no-new-privs mysecureimage

User Namespaces and Rootless Containers#

Podman’s rootless mode is one of its biggest advantages over Docker. It allows containers to run without root privileges, reducing security risks.

Setting Up a Rootless Container#

1. Install Podman as a non-root user.
2. Ensure subuid and subgid are configured.
3. Run a rootless container:

podman run --uidmap 0:100000:65536 mysecureimage

Benefits of Rootless Containers#

• Better security: No root access means less damage potential.
• Multi-user support: Users can manage their own containers independently.
• Less system-wide impact: If a rootless container crashes, it doesn’t take the entire system down.

Container Image Security#

Securing your containers isn’t just about running them safely—it starts with the images themselves.

Signing and Verifying Images#

Ensure you’re using trusted images:

podman pull --tls-verify=true quay.io/example/secureimage:latest

Scanning Images for Vulnerabilities#

Check for known security issues in your container images:

podman scan mysecureimage

Best Practices for Secure Images#

• Use minimal base images: alpine, scratch, or distroless reduce attack surfaces.
• Regularly update and rebuild: Outdated images are security risks.
• Avoid hardcoded secrets: Use environment variables or secret management tools instead.

Container Image Scanning and Vulnerability Management#

Automate security checks for continuous protection.

Using podman scan for Security Checks#

Podman has built-in scanning support to detect vulnerabilities in images.

Integrating with Security Tools#

For deeper scans, integrate with tools like Trivy and Clair.

Automating Image Scanning in CI/CD Pipelines#

Security shouldn’t be an afterthought—automate it in your workflows.

Example: Scanning an Image with Trivy#

trivy image mysecureimage

Hands-On Exercise#

Enough theory—time for action. Your mission:

1. Run a secure rootless container and verify it doesn’t have excessive privileges.
2. Scan an image for vulnerabilities and fix any issues found.
3. Implement security policies: Make your container read-only and drop unnecessary capabilities.
4. Sign and verify an image to ensure integrity.

If you complete this, congratulations—you now know more about container security than the average DevOps engineer. Just don’t brag about it too much, or you’ll be stuck fixing everyone’s insecure deployments.

That’s a wrap! Go forth and secure your containers. If something breaks, remember: security is hard, but a data breach is harder. Cheers!