can podman rootless support qemu-user-static for other arch?
by Larry Cai
Hi:
I have a use case to run an ARM based container inside podman on an x86
platform.
see https://github.com/multiarch/qemu-user-static
It works for me using rootful podman env
```
[root@podman-priv /]# podman run --rm --privileged
multiarch/qemu-user-static --reset -p yes[root@podman-priv /]# podman
run --rm -t arm32v6/alpine uname -marmv7l[root@podman-priv /]# podman
run --rm -t arm64v8/fedora uname -maarch64
```
but when I try this in rootless environment (i am not good at
technical …
[View More]detail in low level)
```
$ podman run --rm --privileged docker.io/multiarch/qemu-user-static
--reset -p yes
mount: permission denied (are you root?)
mount: permission denied (are you root?)
```
so my questions:
1. is it possible to enable this for rootless env? if not, can I use
sudo command to run it once
2. is it done in system level or needs to be done for each user if it
is the common env
Rgs, larry
[View Less]
1 year, 2 months
Is Network=host actually insecure with rootless Podman?
by jklaiho@iki.fi
I've run into highly mysterious and randomly occurring issues with both container-to-host and container-to-LAN PostgreSQL connections. It makes me suspect something is awry with either Podman or Pasta networking, because running the same service (a Django gunicorn process) bare metal under Supervisor using host-to-host or host-to-LAN PostgreSQL connections doesn't exhibit this issue.
This post is not about that, though. To isolate what part of the system is causing the issue, I need to set up …
[View More]a separate test server where I'll try moving away from Pasta networking into host networking instead to verify that everything still works, and if it does, move our servers facing the connection issues to use host networking.
I've read Erik Sjölund's excellent writeup at https://github.com/eriksjolund/podman-networking-docs and the Medium post it linked to claiming that host networking is insecure, at https://medium.com/nttlabs/dont-use-host-network-namespace-f548aeeef575. It deals with Docker and rootful containers, so immediately I'm thinking that the applicability to rootless Podman is limited or nonexistent.
We use iptables and only expose SSH and nginx to the outside world. Any applications we run in Pasta-networked rootless containers get reverse proxied with nginx. We only run the actual applications in containers; things like PostgreSQL, nginx and Redis are all host services. Pasta has been a boon to us by conveniently exposing ports bidirectionally between container and host and preserving request IPs.
The basic question is: is host networking in rootless Podman any less secure than just running the same services uncontainerized, directly on the host OS, as a non-root user? Even if we exposed a rootless containerized service port directly to the outside world without reverse proxying, I don't see how this would be any riskier with host networking than it would be with bare metal. If the risk profile is the same or very nearly the same as that, I consider that sufficient.
[View Less]
1 year, 2 months
