October 2021 - Podman - Podman List Archives

Podman Community Meeting October 2021 Recording

by Tom Sweeney

HI All, The recording from today's Podman Community Meeting is now available at: https://bluejeans.com/s/X3NY6qgSlKQ. I'll try to get the meeting notes together and posted by early next week. t

3 years, 1 month

1
0
0 / 0

syscalls: native or translated

by Tobias Wendorff

Hi there, I just had a talk with some LXC nerds. Their opinion is that unprivileged LXC is more secure than Docker and similar solutions. These would translate the syscalls to userspace, to not have a direct interface to the kernel. In LXC, the syscalls themselves would have built-in namespace awareness in the kernel itself, but without a translation layer. How does this statement relate to the security of a container running in rootless Podman in a normal user? Could the "translation layer" introduce trouble? Best regards, Tobias

3 years, 1 month

4
6
0 / 0

Nagios check_icmp error in rootless container

by Michael Ivanov

Hallo again! I'm trying to run /usr/lib64/nagios/plugins/check_icmp in rootless container and I get the following error: check_icmp: Failed to obtain ICMP socket: Operation not permitted check_icmp permissions are as following: -rwsr-x--- 1 root nagios 75800 Apr 2 2021 /usr/lib64/nagios/plugins/check_icmp I am running it as root (container's root of course) ping localhost and /usr/lib64/nagios/plugins/check_ping -H localhost work without problems. /bin/ping is *not* suid, but has caps cap_net_admin,cap_net_raw+p set. /usr/lib64/nagios/plugins/check_icmp is setuid root and had no capabilities set. Ok, I remived suid bit from it and set same caps as for ping: -rwxr-x--- 1 root nagios 75800 Apr 2 2021 /usr/lib64/nagios/plugins/check_icmp /usr/lib64/nagios/plugins/check_icmp = cap_net_admin,cap_net_raw+p When I run it I still get same error. In which direction to dig? Best regards, -- \ / | | (OvO) | Михаил Иванов | (^^^) | | \^/ | E-mail: ivans(a)isle.spb.ru | ^ ^ | |

3 years, 1 month

1
0
0 / 0

Podman Community Meeting Tommorow at this tme!

by Tom Sweeney

Hi All! The Podman Community Meeting is in 24 hours! https://podman.io/community/meeting/agenda/ Hope to see you there, free to attend, and link to the video conference there on the agenda. t

3 years, 1 month

1
0
0 / 0

client address in rootless container

by Michael Ivanov

Greetings! I have observer a strange networking issue when running a service in rootless container. When connecting to this service from outside client ip address is reported by the accept() is local container address (the one from tap0 interface inside a container). Is this expected? Best regards, -- \ / | | (OvO) | Михаил Иванов | (^^^) | | \^/ | E-mail: ivans(a)isle.spb.ru | ^ ^ | |

3 years, 1 month

1
0
0 / 0

2024

2023

2022

2021

2020

2019

Podman October 2021