Best practice: run rootless containers under separate user or the same I ssh into?

[szponciarz]

What's the best practice recommended by podman community - to create a separate system user for rootless podman containers and enable lingering for it or run containers on the same user I ssh into and perform administrative tasks using sudo?

[manimovassagh]

The recommended approach is to use a dedicated system user per service (or group of related services) rather than running containers under your personal login account. Here is the reasoning:

Separate service user

# Create a system user with no login shell
sudo useradd -r -m -s /usr/sbin/nologin podman-svc

# Enable lingering so systemd user services survive logout
sudo loginctl enable-linger podman-svc

Why this is better:

1. Security isolation -- if a container escape happens, the attacker lands in a locked-down service account with no sudo, no SSH keys, no shell history, no credentials from your admin sessions.

2. Lifecycle independence -- with lingering enabled, the user's systemd scope stays alive across reboots. Your containers start on boot and are not tied to an SSH session. If you run containers under your personal account, they die when you log out (unless you also enable lingering for yourself, which defeats the purpose of a separate user).

3. Resource accounting -- cgroups, journald logs, and audit trails are cleanly scoped to the service user. journalctl --user -M podman-svc@ gives you exactly that service's logs.

4. Multi-service separation -- if you run multiple unrelated workloads, each gets its own user, its own ~/.config/containers/, its own subuids, its own systemd scope. One misbehaving container cannot interact with another service's namespace.

Managing it from your admin account

You SSH in as yourself and use machinectl shell or sudo -u podman-svc to manage the service user's containers:

# Run a one-off command as the service user
sudo machinectl shell podman-svc@ /usr/bin/podman ps

# Or use sudo
sudo -u podman-svc XDG_RUNTIME_DIR=/run/user/$(id -u podman-svc) podman ps

For day-to-day operations, define Quadlet unit files under the service user's systemd directory (~podman-svc/.config/containers/systemd/) and manage them with systemctl --user -M podman-svc@.

When running under your own account is fine

For development, testing, or throwaway experiments on your local machine, running under your personal account is perfectly fine. The separate-user pattern is mainly for production or long-running services where security boundaries and boot-time startup matter.