Fl1tzi/fl1tzi.com
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
fl1tzi.com/_site/2023/10/03/podman-userns.html
Fl1tzi e01dc8e8fc
little correction
2023-10-03 18:49:09 +02:00

76 lines
3.3 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html>
<head>
<title>How To Run Podman Containers Inside One User More Securely</title>
<meta charset="UTF-8">
<link rel="stylesheet" href="/assets/main.css">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="author" content="Fl1tzi<root@fl1tzi.com>">
</head>
<body>
<div class="notice">
I'm not an expert and this is just a summary of the information I've found.
</div>
<header>
<h1>How To Run Podman Containers Inside One User More Securely</h1>
<span>3 October 2023</span>
</header>
<section id="content">
<p>Previously, I ran containers as a single user with Podman mapping the UID in the container as root (without the <code class="language-plaintext highlighter-rouge">--userns</code> flag).</p>
<p>However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the harm done to the system could eventually be bigger.</p>
<p>An alternative to this approach is the usage of <code class="language-plaintext highlighter-rouge">--userns=auto</code>. This uses a separate user namespace as the root in the container. So every container has a different user namespace and therefore only permission to change files in this namespace. This is especially helpful in production.</p>
<p>Another method is <code class="language-plaintext highlighter-rouge">userns=nomap</code>. As far as I understand, this maps all container root users to the first UID in the subuid range (available child namespaces). This means the containers dont have the same permission as my user but they all share another namespace.</p>
<p>So to quote <a href="https://www.redhat.com/sysadmin/users/dan-walsh">Daniel J Walsh</a>:</p>
<blockquote>
<p>“You could also setup a Huge /etc/subuid range for a user and then run lots of containers for that user with userns=auto … Which is probably the most secure.” [1]</p>
</blockquote>
<hr />
<p>Reference list</p>
<ul>
<li><a href="https://www.redhat.com/sysadmin/rootless-podman-user-namespace-modes">https://www.redhat.com/sysadmin/rootless-podman-user-namespace-modes</a></li>
<li><a href="https://github.com/containers/podman/discussions/13728">https://github.com/containers/podman/discussions/13728</a></li>
<li><a href="https://github.com/containers/podman/discussions/11366">https://github.com/containers/podman/discussions/11366</a></li>
<li><a href="https://docs.podman.io/en/v4.4/markdown/options/userns.container.html">https://docs.podman.io/en/v4.4/markdown/options/userns.container.html</a></li>
<li>[1] <a href="https://github.com/containers/podman/discussions/13728#discussioncomment-2900471">https://github.com/containers/podman/discussions/13728#discussioncomment-2900471</a></li>
<li>man: <a href="https://man7.org/linux/man-pages/man7/user_namespaces.7.html">user_namespaces</a></li>
</ul>
</section>
<br/>
<hr/>
<footer>
<small>
<a href="/">Home</a>
//
<a href="https://git.fl1tzi.com/Fl1tzi/fl1tzi.com">Repo</a>
//
<a href="https://git.fl1tzi.com/data/data/src/fl1tzi.com-privacy.md">Privacy</a>
//
All Rights Reserved.
</small>
</footer>
</body>
</html>
Reference in a new issue View git blame Copy permalink