Using socket-proxy with rootless Podman

[Albert-aka-Albot]

Rootless Podman already exposes its socket under the user’s own UID/GID:

$ systemctl --user start podman.socket
$ stat /var/run/user/1000/podman/podman.sock | grep Uid
Access: (0660/srw-rw----)  Uid: (1000/user)   Gid: (1000/user)

When running socket-proxy in this setup, the proxy socket ends up owned by 100999:100999:

services:
  socket-proxy:
    image: "docker.io/11notes/socket-proxy:2"
    container_name: socket-proxy
    read_only: true
    environment:
      TZ: "Europe/Zurich"
    volumes:
      - "/var/run/user/1000/podman/podman.sock:/run/docker.sock:ro" 
      - "./socket-proxy.run:/run/proxy"
    restart: "always"

$ podman compose up -d
$ stat ./socket-proxy.run/docker.sock | grep Uid
Access: (0755/srwxr-xr-x)  Uid: (100999/UNKNOWN)   Gid: (100999/UNKNOWN)

Even after adjusting the file ownership manually, socket-proxy resets it. So i added UID 1000 to group 100999 on host, because some of my podman containers run as 1000:1000, and i don't know how to force them to run as 100999:100999.

Questions:

• Is there still a security advantage to using socket-proxy on top of Podman's rootless mode?
• Is socket-proxy fully compatible with Podman, or could problems arise in the future?
• Is there a better way to give containers running as 1000:1000 access to the proxy socket?

[11notes]

Is there still a security advantage to using socket-proxy on top of Podman's rootless mode?

No.

Is socket-proxy fully compatible with Podman, or could problems arise in the future?

The socker-proxy is for Docker, not podman.

Is there a better way to give containers running as 1000:1000 access to the proxy socket?

Since you use Podman, simply use the same podman ID to expose the socket for each app under their own socket.