add first post
This commit is contained in:
parent
fffac06921
commit
b4f925b9fc
BIN
.jekyll-metadata
BIN
.jekyll-metadata
Binary file not shown.
|
@ -6,3 +6,4 @@ defaults:
|
|||
path: ""
|
||||
values:
|
||||
layout: "page"
|
||||
|
||||
|
|
|
@ -1,5 +1,9 @@
|
|||
- display: Privacy
|
||||
link: https://git.fl1tzi.com/data/data/src/fl1tzi.com-privacy.md
|
||||
- display: Home
|
||||
link: /
|
||||
|
||||
- display: Repo
|
||||
link: https://git.fl1tzi.com/Fl1tzi/fl1tzi.com
|
||||
|
||||
- display: Privacy
|
||||
link: https://git.fl1tzi.com/data/data/src/fl1tzi.com-privacy.md
|
||||
|
||||
|
|
|
@ -10,11 +10,19 @@
|
|||
</head>
|
||||
|
||||
<body>
|
||||
{% if page.notice %}
|
||||
<div class="notice">
|
||||
{{ page.notice }}
|
||||
</div>
|
||||
{% endif %}
|
||||
|
||||
<header>
|
||||
<h1>{{ page.title }}</h1>
|
||||
{% if page.date %}
|
||||
<span>{{ page.date | date: "%-d %B %Y" }}</span>
|
||||
{% endif %}
|
||||
</header>
|
||||
|
||||
|
||||
<section id="content">
|
||||
{{ content }}
|
||||
</section>
|
||||
|
|
27
_posts/2023-10-03-podman-userns.md
Normal file
27
_posts/2023-10-03-podman-userns.md
Normal file
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
lang: en-us
|
||||
notice: I'm not an expert and this is just a summary of the information I've found.
|
||||
title: How To Run Podman Containers Inside One User More Securely
|
||||
---
|
||||
|
||||
Previously, I ran containers as a single user with Podman mapping the UID in the container as root (without the `--userns` flag).
|
||||
|
||||
However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the whole user directory could be changed.
|
||||
|
||||
An alternative to this approach is the usage of `--userns=auto`. This uses a separate user namespace as the root in the container. So every container has a different user namespace and therefore only permission to change files in this namespace. This is especially helpful in production.
|
||||
|
||||
Another method is `userns=nomap`. As far as I understand, this maps all container root users to the first UID in the subuid range (available child namespaces). This means the containers don't have the same permission as my user but they all share another namespace.
|
||||
|
||||
So to quote [Daniel J Walsh](https://www.redhat.com/sysadmin/users/dan-walsh):
|
||||
> "You could also setup a Huge /etc/subuid range for a user and then run lots of containers for that user with --userns=auto ... Which is probably the most secure." [1]
|
||||
|
||||
---
|
||||
|
||||
Reference list
|
||||
|
||||
- <https://www.redhat.com/sysadmin/rootless-podman-user-namespace-modes>
|
||||
- <https://github.com/containers/podman/discussions/13728>
|
||||
- <https://github.com/containers/podman/discussions/11366>
|
||||
- <https://docs.podman.io/en/v4.4/markdown/options/userns.container.html>
|
||||
- [1] <https://github.com/containers/podman/discussions/13728#discussioncomment-2900471>
|
||||
- man: [user_namespaces](https://man7.org/linux/man-pages/man7/user_namespaces.7.html)
|
75
_site/2023/10/03/podman-userns.html
Normal file
75
_site/2023/10/03/podman-userns.html
Normal file
|
@ -0,0 +1,75 @@
|
|||
<!DOCTYPE html>
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>How To Run Podman Containers Inside One User More Securely</title>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" href="/assets/main.css">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
<meta name="author" content="Fl1tzi<root@fl1tzi.com>">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<div class="notice">
|
||||
I'm not an expert and this is just a summary of the information I've found.
|
||||
</div>
|
||||
|
||||
|
||||
<header>
|
||||
<h1>How To Run Podman Containers Inside One User More Securely</h1>
|
||||
|
||||
<span>3 October 2023</span>
|
||||
|
||||
</header>
|
||||
|
||||
<section id="content">
|
||||
<p>Previously, I ran containers as a single user with Podman mapping the UID in the container as root (without the <code class="language-plaintext highlighter-rouge">--userns</code> flag).</p>
|
||||
|
||||
<p>However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the whole user directory could be changed.</p>
|
||||
|
||||
<p>An alternative to this approach is the usage of <code class="language-plaintext highlighter-rouge">--userns=auto</code>. This uses a separate user namespace as the root in the container. So every container has a different user namespace and therefore only permission to change files in this namespace. This is especially helpful in production.</p>
|
||||
|
||||
<p>Another method is <code class="language-plaintext highlighter-rouge">userns=nomap</code>. As far as I understand, this maps all container root users to the first UID in the subuid range (available child namespaces). This means the containers don’t have the same permission as my user but they all share another namespace.</p>
|
||||
|
||||
<p>So to quote <a href="https://www.redhat.com/sysadmin/users/dan-walsh">Daniel J Walsh</a>:</p>
|
||||
<blockquote>
|
||||
<p>“You could also setup a Huge /etc/subuid range for a user and then run lots of containers for that user with –userns=auto … Which is probably the most secure.” [1]</p>
|
||||
</blockquote>
|
||||
|
||||
<hr />
|
||||
|
||||
<p>Reference list</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="https://www.redhat.com/sysadmin/rootless-podman-user-namespace-modes">https://www.redhat.com/sysadmin/rootless-podman-user-namespace-modes</a></li>
|
||||
<li><a href="https://github.com/containers/podman/discussions/13728">https://github.com/containers/podman/discussions/13728</a></li>
|
||||
<li><a href="https://github.com/containers/podman/discussions/11366">https://github.com/containers/podman/discussions/11366</a></li>
|
||||
<li><a href="https://docs.podman.io/en/v4.4/markdown/options/userns.container.html">https://docs.podman.io/en/v4.4/markdown/options/userns.container.html</a></li>
|
||||
<li>[1] <a href="https://github.com/containers/podman/discussions/13728#discussioncomment-2900471">https://github.com/containers/podman/discussions/13728#discussioncomment-2900471</a></li>
|
||||
<li>man: <a href="https://man7.org/linux/man-pages/man7/user_namespaces.7.html">user_namespaces</a></li>
|
||||
</ul>
|
||||
|
||||
</section>
|
||||
|
||||
<br/>
|
||||
<hr/>
|
||||
|
||||
<footer>
|
||||
<small>
|
||||
|
||||
<a href="/">Home</a>
|
||||
//
|
||||
|
||||
<a href="https://git.fl1tzi.com/Fl1tzi/fl1tzi.com">Repo</a>
|
||||
//
|
||||
|
||||
<a href="https://git.fl1tzi.com/data/data/src/fl1tzi.com-privacy.md">Privacy</a>
|
||||
//
|
||||
|
||||
All Rights Reserved.
|
||||
</small>
|
||||
</footer>
|
||||
</body>
|
||||
|
||||
</html>
|
|
@ -10,11 +10,13 @@
|
|||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
|
||||
<header>
|
||||
<h1>Applications</h1>
|
||||
|
||||
</header>
|
||||
|
||||
|
||||
<section id="content">
|
||||
<p>These are some applications which are hosted under this domain.</p>
|
||||
|
||||
|
@ -45,12 +47,15 @@
|
|||
<footer>
|
||||
<small>
|
||||
|
||||
<a href="https://git.fl1tzi.com/data/data/src/fl1tzi.com-privacy.md">Privacy</a>
|
||||
<a href="/">Home</a>
|
||||
//
|
||||
|
||||
<a href="https://git.fl1tzi.com/Fl1tzi/fl1tzi.com">Repo</a>
|
||||
//
|
||||
|
||||
<a href="https://git.fl1tzi.com/data/data/src/fl1tzi.com-privacy.md">Privacy</a>
|
||||
//
|
||||
|
||||
All Rights Reserved.
|
||||
</small>
|
||||
</footer>
|
||||
|
|
|
@ -4,12 +4,22 @@
|
|||
--light-color: rgba(0, 0, 0, 0.2);
|
||||
}
|
||||
|
||||
a {
|
||||
color: blue;
|
||||
text-decoration: underline;
|
||||
font-weight: 500;
|
||||
}
|
||||
|
||||
@media (prefers-color-scheme: dark) {
|
||||
:root {
|
||||
--background-color: #000;
|
||||
--text-color: #FFF;
|
||||
--light-color: rgba(255, 255, 255, 0.2);
|
||||
}
|
||||
|
||||
a {
|
||||
color: lightblue;
|
||||
}
|
||||
}
|
||||
|
||||
body {
|
||||
|
@ -28,14 +38,21 @@ body {
|
|||
}
|
||||
}
|
||||
|
||||
nav ul {
|
||||
padding-left: 0;
|
||||
header {
|
||||
margin-bottom: 20px;
|
||||
}
|
||||
|
||||
a {
|
||||
text-decoration: underline;
|
||||
font-weight: 700;
|
||||
color: var(--text-color);
|
||||
header h1 {
|
||||
margin-top: 5px;
|
||||
margin-bottom: 5px;
|
||||
}
|
||||
|
||||
header span {
|
||||
color: grey;
|
||||
}
|
||||
|
||||
nav ul {
|
||||
padding-left: 0;
|
||||
}
|
||||
|
||||
pre {
|
||||
|
@ -60,6 +77,11 @@ code {
|
|||
background-color: var(--light-color);
|
||||
}
|
||||
|
||||
blockquote {
|
||||
font-family: serif;
|
||||
font-style: italic;
|
||||
}
|
||||
|
||||
/* Show bigger links on touchscreens (hopefully) */
|
||||
@media (pointer:none), (pointer:coarse) {
|
||||
a {
|
||||
|
@ -70,3 +92,17 @@ code {
|
|||
margin-top: 15px;
|
||||
}
|
||||
}
|
||||
|
||||
div.notice {
|
||||
padding: 5px;
|
||||
padding-bottom: 15px;
|
||||
/* background-color: rgba(254, 95, 85, 200);*/
|
||||
background: var(--light-color);
|
||||
background: linear-gradient(180deg, var(--light-color) 25%, var(--background-color) 100%);
|
||||
}
|
||||
|
||||
div.notice:before {
|
||||
display: block;
|
||||
content:"NOTE";
|
||||
font-weight: 700;
|
||||
}
|
||||
|
|
|
@ -10,11 +10,13 @@
|
|||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
|
||||
<header>
|
||||
<h1>Contact</h1>
|
||||
|
||||
</header>
|
||||
|
||||
|
||||
<section id="content">
|
||||
<ul>
|
||||
<li><a href="mailto:kontakt@fl1tzi.com">E-Mail</a></li>
|
||||
|
@ -31,12 +33,15 @@
|
|||
<footer>
|
||||
<small>
|
||||
|
||||
<a href="https://git.fl1tzi.com/data/data/src/fl1tzi.com-privacy.md">Privacy</a>
|
||||
<a href="/">Home</a>
|
||||
//
|
||||
|
||||
<a href="https://git.fl1tzi.com/Fl1tzi/fl1tzi.com">Repo</a>
|
||||
//
|
||||
|
||||
<a href="https://git.fl1tzi.com/data/data/src/fl1tzi.com-privacy.md">Privacy</a>
|
||||
//
|
||||
|
||||
All Rights Reserved.
|
||||
</small>
|
||||
</footer>
|
||||
|
|
|
@ -10,11 +10,13 @@
|
|||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
|
||||
<header>
|
||||
<h1>Homepage</h1>
|
||||
|
||||
</header>
|
||||
|
||||
|
||||
<section id="content">
|
||||
<p>Hi, I’m Fl1tzi.
|
||||
I do stuff on the internet and photograph things.</p>
|
||||
|
@ -25,6 +27,17 @@ I do stuff on the internet and photograph things.</p>
|
|||
<li><a href="/applications.html">Applications</a></li>
|
||||
</ul>
|
||||
|
||||
<h2 id="posts">Posts</h2>
|
||||
|
||||
<ul>
|
||||
|
||||
<li>
|
||||
<a href="/2023/10/03/podman-userns.html">How To Run Podman Containers Inside One User More Securely</a>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
</section>
|
||||
|
||||
<br/>
|
||||
|
@ -33,12 +46,15 @@ I do stuff on the internet and photograph things.</p>
|
|||
<footer>
|
||||
<small>
|
||||
|
||||
<a href="https://git.fl1tzi.com/data/data/src/fl1tzi.com-privacy.md">Privacy</a>
|
||||
<a href="/">Home</a>
|
||||
//
|
||||
|
||||
<a href="https://git.fl1tzi.com/Fl1tzi/fl1tzi.com">Repo</a>
|
||||
//
|
||||
|
||||
<a href="https://git.fl1tzi.com/data/data/src/fl1tzi.com-privacy.md">Privacy</a>
|
||||
//
|
||||
|
||||
All Rights Reserved.
|
||||
</small>
|
||||
</footer>
|
||||
|
|
|
@ -4,12 +4,22 @@
|
|||
--light-color: rgba(0, 0, 0, 0.2);
|
||||
}
|
||||
|
||||
a {
|
||||
color: blue;
|
||||
text-decoration: underline;
|
||||
font-weight: 500;
|
||||
}
|
||||
|
||||
@media (prefers-color-scheme: dark) {
|
||||
:root {
|
||||
--background-color: #000;
|
||||
--text-color: #FFF;
|
||||
--light-color: rgba(255, 255, 255, 0.2);
|
||||
}
|
||||
|
||||
a {
|
||||
color: lightblue;
|
||||
}
|
||||
}
|
||||
|
||||
body {
|
||||
|
@ -28,14 +38,21 @@ body {
|
|||
}
|
||||
}
|
||||
|
||||
nav ul {
|
||||
padding-left: 0;
|
||||
header {
|
||||
margin-bottom: 20px;
|
||||
}
|
||||
|
||||
a {
|
||||
text-decoration: underline;
|
||||
font-weight: 700;
|
||||
color: var(--text-color);
|
||||
header h1 {
|
||||
margin-top: 5px;
|
||||
margin-bottom: 5px;
|
||||
}
|
||||
|
||||
header span {
|
||||
color: grey;
|
||||
}
|
||||
|
||||
nav ul {
|
||||
padding-left: 0;
|
||||
}
|
||||
|
||||
pre {
|
||||
|
@ -60,6 +77,11 @@ code {
|
|||
background-color: var(--light-color);
|
||||
}
|
||||
|
||||
blockquote {
|
||||
font-family: serif;
|
||||
font-style: italic;
|
||||
}
|
||||
|
||||
/* Show bigger links on touchscreens (hopefully) */
|
||||
@media (pointer:none), (pointer:coarse) {
|
||||
a {
|
||||
|
@ -70,3 +92,17 @@ code {
|
|||
margin-top: 15px;
|
||||
}
|
||||
}
|
||||
|
||||
div.notice {
|
||||
padding: 5px;
|
||||
padding-bottom: 15px;
|
||||
/* background-color: rgba(254, 95, 85, 200);*/
|
||||
background: var(--light-color);
|
||||
background: linear-gradient(180deg, var(--light-color) 25%, var(--background-color) 100%);
|
||||
}
|
||||
|
||||
div.notice:before {
|
||||
display: block;
|
||||
content:"NOTE";
|
||||
font-weight: 700;
|
||||
}
|
||||
|
|
12
index.md
12
index.md
|
@ -8,3 +8,15 @@ I do stuff on the internet and photograph things.
|
|||
- [Contact](/contact.html)
|
||||
- [Photography](https://portfolio.pixelfed.de/Fl1tzi)
|
||||
- [Applications](/applications.html)
|
||||
|
||||
## Posts
|
||||
|
||||
<ul>
|
||||
{% for post in site.posts %}
|
||||
<li>
|
||||
<a href="{{ post.url }}">{{ post.title }}</a>
|
||||
</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue