This just runs full circle back to the LXC project which Docker 'forked' without attribution in 2013. Run unprivileged , runs daemon less, support layers, advanced networking and more important a standard OS environment.<p>The whole community around containers is not about the technology or understanding how to use them efficiently but who is marketing it and how many layers of complexity and buzzwords can be added on top. A bash script to build containers thus becomes 'declarative' and running a copy of a container becomes 'immutable'.<p>A non standard OS environment, single process environments, the uncontrolled use of layers, ephemeral storage all add dubious layers of complexity to containers for questionable benefit and increase management overhead and fragility at the base of the your stack. Now 5 years later its back to LXC but 'reinvented' by Redhat. So we get another round of hype to reveal the inadequacies that should have been known 5 years ago but throwing no more light on the core issues lest users get wind its just the LXC project in new clothes.
The post links to "Podman - The next generation of Linux container tools" (<a href="https://developers.redhat.com/articles/podman-next-generation-linux-container-tools/" rel="nofollow">https://developers.redhat.com/articles/podman-next-generatio...</a>), in which the author notes that Docker <i>"requires anyone who wants to build a container image to have root access. That can create security risks"</i>.<p>I'm extrapolating that an advantage of Podman is that it should not require root permissions. But almost every call to podman in the article involves sudo. Can anyone clarify?
Does Buildah build images in a completely unprivileged environment? There are other tools like Kaniko which have few gotchas like although they don't need docker daemon but they still need ROOT access which does not make it truly secure.