Rootful networking with rootless podman containers - DevConf.CZ 2023
3.6 هزار بار بازدید -
12 ماه پیش
-
Speaker(s): Clemens LangPodman can use
Speaker(s): Clemens Lang
Podman can use unprivileged user namespaces to allow non-root users to start containers. This means root inside the container is no longer also root outside the container. Less root is better, so we should clearly all be running our containers rootless, right?
Unfortunately, networking for rootless containers has a few downsides (that differ depending on which implementation you use). Can we not start our containers as rootless to make sure our processes don't have privileges, yet still use normal, rootful networking?
Turns out we can! This is the story of how I chased a possibility mentioned on the last slide of a 2021 presentation and a post on the podman list to use rootful networking with rootless podman containers.
Warning: you might learn more than you want on how network namespaces work.
https://sched.co/1MYkl
Podman can use unprivileged user namespaces to allow non-root users to start containers. This means root inside the container is no longer also root outside the container. Less root is better, so we should clearly all be running our containers rootless, right?
Unfortunately, networking for rootless containers has a few downsides (that differ depending on which implementation you use). Can we not start our containers as rootless to make sure our processes don't have privileges, yet still use normal, rootful networking?
Turns out we can! This is the story of how I chased a possibility mentioned on the last slide of a 2021 presentation and a post on the podman list to use rootful networking with rootless podman containers.
Warning: you might learn more than you want on how network namespaces work.
https://sched.co/1MYkl
12 ماه پیش
در تاریخ 1402/04/21 منتشر شده
است.
3,689
بـار بازدید شده