November 2019 - Podman - Podman List Archives

Basic security principles for containers and container runtimes

by Brent Baude

Folks, We recently published an article on some basic security ideas around Podman and container images. Socialize as you see fit. https://www.redhat.com/sysadmin/users/brent-baude

5 years

2
1
0 / 0

A Global Marketplace connecting Engineers and Businesses

by kaitlyn.kristy9494＠gmail.com

A Cisco Certified Network Professional executes and configures EIGRP-based solutions. Certified professionals must develop multi-area OSPF networks and configure OSPF routing as well. It is further the responsibility of Certified Professionals to develop eBGP-based solutions and perform routing configuration. Professionals must know how to set up an IPv6-based solution, and they must record all the results of their implementation. Certified Professionals are responsible for IPv4 and IPv6 redistribution solutions as well. They further must design and develop Layer 3 Path Control Solutions and broadband connections. Certified professionals must also have a strong understanding of what resources are required, and they must implement VLAN-based solutions. Read More: https://www.fieldengineer.com/skills/cisco-certified-network-professional

5 years

3
3
0 / 0

Cloud Integration Engineer

by rozerfederatfieldengineer＠gmail.com

A cloud integration engineer is somebody who helps migrate existing company network and IT assets into the cloud. By integrating a firm’s systems with the cloud services, cloud integration engineers help firms improve accessibility, backup, and connectivity. https://www.fieldengineer.com/skills/cloud-integration-engineer-ericsson

5 years

1
0
0 / 0

Site & Process Automation Engineer

by ashaikfe＠gmail.com

A site and Process Automation Engineer is somebody who helps organizations automate their production processes. The role of a site and Process Automation Engineer includes both installing, testing, troubleshooting, and maintaining automation systems. Many firms in the IT and telecom sector need people with the skills to help them automate repetitive tasks or tasks that require a high level of precision. Site and process automation engineers focus on reducing the labor required to perform operational activities in these industries, helping firms to cut costs. Read More: https://www.fieldengineer.com/skills/site-process-automation-engineer-eri...

5 years

1
0
0 / 0

feasible to upgrade podman on CentOS 8 to current version?

by Robert P. J. Day

i just upgraded a CentOS box to CentOS 8, and i can see that the version of podman is (unsurprisingly) a bit dated: $ podman --version podman version 1.0.2-dev compared to my fedora 30 system: $ podman --version podman version 1.6.1 is it feasible to try to download and build from source to get the latest version on my CentOS system, or would that just be more trouble than it's worth? rday -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================

5 years

4
5
0 / 0

Firewalling services provided by containers

by Alexander E. Patrakov

Hello. I have tried Podman in Fedora 31. Not a rootless setup. Software versions: podman-1.6.2-2.fc31.x86_64 containernetworking-plugins-0.8.2-2.1.dev.git485be65.fc31.x86_64 IP and netmask of the Fedora machine in my network: 192.168.5.130/24. Podman creates, on the start of the first container, its default cni-podman0 bridge with IP and netmask 10.88.0.1/16. I wanted to play through a situation when we are migrating from a service (let's say, 9999/tcp) formerly provided by some software installed directly on the host to the same service provided by the same software, but in a podman container. And this software needs to be firewalled: there is a whitelist of IP addresses (let's say 192.158.5.30 and 192.168.5.44) that have the privilege to talk to 192.168.5.130:9999. With the old, non-containerized setup, implementing this kind of whitelist is trivial. Add a new firewalld zone, add thenecessary ports and whitelisted client IPs to it, set the target to REJECT or DROP, done. However, once I switch to a containerized service, the firewall becomes ineffective, because the packets hit the FORWARD chain, not INPUT. I could not find a good solution that works in terms of the exposed port (i.e. 9999, even if inside the container a different port is used). I could either add iptables rules (yuck... firewalld exists for a reason) to "raw" or "mangle" tables (but then I cannot reject), or do something in the "filter" table with "-p tcp -m tcp -m conntrack --ctorigdstport 9999" (that's better). I think that firewald could see some improvement here. In order to apply a whitelist of hosts that can connect, I should not need to care whether the service is provided by something running on the host, or by a container. OK, another crazy idea: is it possible to use slirp4netns instead of the default bridge for root-owned containers, just to avoid these INPUT-vs-FORWARD firewall troubles? -- Alexander E. Patrakov

5 years

3
5
0 / 0

Trying to run podman within a locked down podman.

by Daniel Walsh

# cat ~/Dockerfile.podman FROM podman/stable RUN useradd podman # podman run -ti --security-opt seccomp=/tmp/seccomp.json --user podman --rm podman podman unshare cat /etc/subuid ERRO[0000] unable to write system event: "write unixgram @000ea->/run/systemd/journal/socket: sendmsg: no such file or directory" podman:100000:65536 # podman run -ti --security-opt seccomp=unconfined --user podman --rm podman podman unshare cat /proc/self/uid_map ERRO[0000] unable to write system event: "write unixgram @000df->/run/systemd/journal/socket: sendmsg: no such file or directory" 0 1000 1 # podman run -ti --security-opt seccomp=/tmp/seccomp.json --user podman --rm podman podman unshare cat /proc/self/uid_map ERRO[0000] unable to write system event: "write unixgram @000e6->/run/systemd/journal/socket: sendmsg: no such file or directory" 0 1000 1 Running with Debug shows DEBU[0000] error from newuidmap: newuidmap: write to uid_map failed: Operation not permitted WARN[0000] using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding subids User Namespace does not seem to be working unless I add "clone" syscall, and SETUID, SETGID # podman run -ti --cap-add SETUID,SETGID --security-opt seccomp=/tmp/seccomp.json --user podman --rm podman podman unshare cat /proc/self/uid_map ERRO[0000] unable to write system event: "write unixgram @00103->/run/systemd/journal/socket: sendmsg: no such file or directory" 0 1000 1 1 100000 65536 ```Need these SELinux Rules: allow container_t nsfs_t:file read; allow container_t proc_t:filesystem mount; allow container_t tmpfs_t:filesystem { mount unmount }; ``` I am getting close with this: diff /usr/share/containers/seccomp.json /tmp/seccomp.json 367c367,370 < "unshare" --- > "unshare", > "clone", > "keyctl", > "pivot_root" # podman run -ti --privileged --cap-add SETUID,SETGID --security-opt seccomp=/tmp/seccomp.json --user podman --rm podman podman run --net=host --cgroup-manager cgroupfs alpine echo hello ERRO[0000] unable to write system event: "write unixgram @0016a->/run/systemd/journal/socket: sendmsg: no such file or directory" Trying to pull docker.io/library/alpine... Getting image source signatures Copying blob 89d9c30c1d48 done Copying config 965ea09ff2 done Writing manifest to image destination Storing signatures ERRO[0004] unable to write pod event: "write unixgram @0016a->/run/systemd/journal/socket: sendmsg: no such file or directory" Error: cannot configure rootless cgroup using the cgroupfs manager executable file not found in $PATH: No such file or directory: OCI runtime command not found error

5 years

1
0
0 / 0

2024

2023

2022

2021

2020

2019

Podman November 2019