Running apps in a container with limited host access is an easy way to improve security without compromising performance and usability. This is a known risk that can affect you even if your computer is not directly connected to the Internet. Last but not least, virtually all file format parsers have vulnerabilities that just haven’t been discovered yet. I never liked the idea of running things that are open to the outside on my System or as the PhotoPrism FAQ say: So what worrys me is when i read there are bugs in other services that allow permissions escalation on the host if -network host is enabled PS: Currently i use the Unit File above and added the Local IPs of the other Devices manual…įor me its mainly about spliting the things up, so applications and services are seperated from the System, the worst case for me would be to lower the security by this because higher attack surface with low seperation in between, i like the idea that is someone gets into the syncthing container, he can´t read anyfile thats not activly mounted to the container, and anything not mounted persistend just goes away by deleting the container. The problem is without -network host there is no Local Discovery, and many of the Files are Big so i want that, but now i read you shoud not use network host because Security…Īlso is there any Securtiy risk by using -user keep-id? label "io.toupdate=registry" \ĮxecStop=/usr/bin/podman stop -ignore -cidfile=%t/%n.ctr-idĮxecStopPost=/usr/bin/podman rm -f -ignore -cidfile=%t/%n.ctr-id v /var/home/jonas/Bilder/Fotos:/var/syncthing/Fotos:Z \ v /var/home/jonas/.config/syncthing:/var/syncthing/config:Z \ # rviceĭescription=Podman rviceĭocumentation=man:podman-generate-systemd(1)
So to run Podman i let it generate (and modifid) this Unit File and run it with systemctl -user rvice, and so far it works. Hello, i want to use Silverblue and try not to overlay to much…