From what I have seen, rootless podman seems to take more effort (even if marginal) than rootful one. I want to make a more informed decision for the containers, so I would like to ask.
- What is a rootless podman good for? How much does it help in terms of security, and does it have other benefits?
- One of the benefits commonly mentioned is for when container is breached. Then, running container on sudo-capable user would give no security benefits. Does it mean I should run podman services on a non-privileged user?
Thank you!
One of the main advantage of podman is that, it respects the firewall rules. Docker don’t do that. Also having rootless podman means if somehow the container went rogue, it cannot have access to your root directory and perform malicious actions.
Also podman is a drop in replacement for docker. It does not need much configurations to setup. If you need compose, you might need to install podman-compose as well.
How would a rogue container be able to access the root directory of the host? Wouldn’t it just be able to access the data on the docker volumes? Thank you.
In an ideal world, sure, but all software has bugs (example vulnerabilities here). Proper security design doesn’t ask “how can X happen?” but “what if X happens?” If you break out of a docker container, you have root access to the system because the docker daemon runs as root.
With podman, there is no root docker daemon, so you’d also need privilege escalation in addition to breaking out of the container.
With root permission you can do chroot.Edit, I did some digging and found that its not the normal files that they can access but can modify kernel parameters and can mount devices and access their files etc. If you want to learn more check https://stackoverflow.com/questions/36425230/privileged-containers-and-capabilities
Can you provide the required arguments for chroot? I’ve just opened the bash shell of a running container (docker exec -it mycontainer bash) and tried to “break out” using “chroot /”. I can’t access any files of the host.
https://stackoverflow.com/questions/36425230/privileged-containers-and-capabilities
I always hear podman is a drop in replacement, but every time I try most of my stack doesn’t work. Permissions seem to be the issue most of the times, even when I create new volumes. I will try again in a few years probably, but I’m not holding my breath
Look into podman quadlets. Its containers as systemd services, and its excellent. They run as root by default, but can be run at a user level pretty easily. Ive had no permissions issues as long as you define the user/group in the config and ensure they habe the correct rights to the required folders.
It does take translation from docker compose files, but it’s entirely doable. Most of the environmental variables translate straight across.
You need to add
:Z
to the end of your volume lines, or lowercasez
for shared volumes.I’m running 50+ containers, probably most of the popular ones, and all working fine.
You made me try again, and I again failed. For example, Navidrome has this issue: https://github.com/navidrome/navidrome/issues/2967
It seems aside from :z i have to remap the user namespace, which I remember trying in the past too and getting mixed results (some worked, some still didn’t). I get this is not a podman issue (also affects rootless docker), but given the default behavior of docker is root, I am not having this issue.
The others didn’t seem to fail at creation, which is a good thing, but I recall some had issues interacting with each other (files created by one not being readable by another and such). Might try with some other navidrome image (or equivalent subsonic server) but unless it’s as easy as adding :z, I don’t think ill be able to continue Thanks in any case :)
Here’s my Navidrome config. This is running on uCore version of CoreOS, with rootless Podman. I made no configuration changes to Podman out-of-the-box, and this is the full compose file.
What are you running Podman on? Perhaps there is some config issue with the host, since you’re having issues with many containers?
services: navidrome: image: deluan/navidrome:latest container_name: navidrome ports: - "3015:4533" restart: unless-stopped environment: # Optional: put your config options customization here. Examples: volumes: - ./data:/data:Z - ./config.toml:/navidrome.toml:Z
I don’t necessarily agree with it, but there’s the third option of just disabling SELinux and removing the frustration entirely.