Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add FAQ entry on rootful vs rootless and clarify where to apply overlay #123

Merged
merged 1 commit into from
Feb 18, 2024
Merged

Add FAQ entry on rootful vs rootless and clarify where to apply overlay #123

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 29 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,9 @@ easy installation.
imports = [ nix-snapshotter.homeModules.default ];

# (2) Add overlay.
#
# NOTE: If using NixOS & home-manager.useGlobalPkgs = true, then add
# the overlay at the NixOS level.
nixpkgs.overlays = [ nix-snapshotter.overlays.default ];

# (3) Enable service.
Expand Down Expand Up @@ -217,6 +220,9 @@ easy installation.
];

# (2) Add overlay.
#
# NOTE: If using NixOS & home-manager.useGlobalPkgs = true, then add
# the overlay at the NixOS level.
nixpkgs.overlays = [ nix-snapshotter.overlays.default ];

# (3) Enable service.
Expand Down Expand Up @@ -407,7 +413,27 @@ limit. This means all the container content is either already in your Nix store
or fetched from your Nix binary cache.
</details>

2. What's the difference between this and [Nixery][nixery]?
2. When should I choose the rootful (normal) vs rootless mode?

<details>
<summary>Answer</summary>

If you are running a production server, it's best to use the rootful version
as rootless containers is still in its early stages in the container ecosystem.

However, if you are running it for personal use, do try the rootless variant
first. Although less mature, it is the more secure mode as the container
runtime runs as an unprivileged user. It can mitigate potential
container-breakout vulnerabilities, though its not a silver bullet.

Typically, rootless mode is more complex to setup. But since it's already
distributed as a NixOS / Home Manager module, it's simple as enabling the
service.

See https://rootlesscontaine.rs for more details.
</details>

3. What's the difference between this and [Nixery][nixery]?

<details>
<summary>Answer</summary>
Expand All @@ -423,7 +449,7 @@ the progress.

</details>

3. What's the difference between this and a nix-in-docker?
4. What's the difference between this and a nix-in-docker?

<details>
<summary>Answer</summary>
Expand All @@ -439,7 +465,7 @@ the underlying packages from the same Nix store.

</details>

4. What's the difference between this and [nix2container][nix2container]?
5. What's the difference between this and [nix2container][nix2container]?

<details>
<summary>Answer</summary>
Expand Down
Loading