Is Network=host actually insecure with rootless Podman?
by jklaiho@iki.fi
I've run into highly mysterious and randomly occurring issues with both container-to-host and container-to-LAN PostgreSQL connections. It makes me suspect something is awry with either Podman or Pasta networking, because running the same service (a Django gunicorn process) bare metal under Supervisor using host-to-host or host-to-LAN PostgreSQL connections doesn't exhibit this issue.
This post is not about that, though. To isolate what part of the system is causing the issue, I need to set up a separate test server where I'll try moving away from Pasta networking into host networking instead to verify that everything still works, and if it does, move our servers facing the connection issues to use host networking.
I've read Erik Sjölund's excellent writeup at https://github.com/eriksjolund/podman-networking-docs and the Medium post it linked to claiming that host networking is insecure, at https://medium.com/nttlabs/dont-use-host-network-namespace-f548aeeef575. It deals with Docker and rootful containers, so immediately I'm thinking that the applicability to rootless Podman is limited or nonexistent.
We use iptables and only expose SSH and nginx to the outside world. Any applications we run in Pasta-networked rootless containers get reverse proxied with nginx. We only run the actual applications in containers; things like PostgreSQL, nginx and Redis are all host services. Pasta has been a boon to us by conveniently exposing ports bidirectionally between container and host and preserving request IPs.
The basic question is: is host networking in rootless Podman any less secure than just running the same services uncontainerized, directly on the host OS, as a non-root user? Even if we exposed a rootless containerized service port directly to the outside world without reverse proxying, I don't see how this would be any riskier with host networking than it would be with bare metal. If the risk profile is the same or very nearly the same as that, I consider that sufficient.
10 months, 2 weeks
