9:42 a.m.
On 2020-09-08 10:37, Chintan from Rebhu wrote:
Hello everyone!!
I found this GitHub issue
(https://github.com/containers/podman/issues/4490).
There were two recommended actions
1. |Add `--security-opt label=disable` while starting the container|
2. |Add `--group-add tty` while starting the container|
|The first one worked for me while running Envoyproxy 1.15.0. I would
like to understand the security implications of this flag.|
That flag disables SELinux confinement for the container. SELinux is
one of the more important security features for the container in my
opinion - it stopped a number of the more serious container escape
vulnerabilities in the past, and provides a lot of safety in ensuring
that the container cannot access things it was not meant to even if it
breaks out.
Can you re-enable SELinux, run the Podman command again, and look for
any AVC messages in syslog? It looks like this (changing ownership of
the TTY) is probably safe, and we may be able to add it to the default
SELinux policy for containers as an allowed action. Providing the AVCs
would help us do that.
Thanks,
Matt Heon
|--|
|Chintan Mishra|
On 08/09/20 10:18 am, Chintan from Rebhu wrote:
>
>Hello everyone!!
>
>I am trying to run Envoyproxy using podman.
>
>I have tried running the application in rootful and rootless mode
>but in either of these I get the same error.
>
>As mentioned in the Envoyproxy's documentation, I run the following
>command:
>
> podman run -d -p 10000:10000 envoyproxy/envoy:v1.15.0
>
>However, the container exits and the logs show following errors:
>
> chown: changing ownership of '/dev/stdout': Permission denied
> chown: changing ownership of '/dev/stderr': Permission denied
>
>This is the complete output returned from podman logs.
>
>The same error is not present when I switch from v1.15.0 to v1.14.4
>of Envoyproxy.
>
>I am out of my wits about this. Please tell me how I should find a
>solution.
>
>We only use Podman in our infrastructure.
>
>Here are some more details that might be helpful:
>
> * `uname -r`: 5.6.5-300.fc32.x86_64
> * `rpm -qa conmon`: conmon-2.0.19-1.fc32.x86_64
> * `cat /etc/os-release`
> o NAME=Fedora
> VERSION="32 (Cloud Edition)"
> ID=fedora
> VERSION_ID=32
> VERSION_CODENAME=""
> PLATFORM_ID="platform:f32"
> PRETTY_NAME="Fedora 32 (Cloud Edition)"
> ANSI_COLOR="0;34"
> LOGO=fedora-logo-icon
> CPE_NAME="cpe:/o:fedoraproject:fedora:32"
> HOME_URL="https://fedoraproject.org/"
>
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f32/s...
>
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_gettin...
> BUG_REPORT_URL="https://bugzilla.redhat.com/"
> REDHAT_BUGZILLA_PRODUCT="Fedora"
> REDHAT_BUGZILLA_PRODUCT_VERSION=32
> REDHAT_SUPPORT_PRODUCT="Fedora"
> REDHAT_SUPPORT_PRODUCT_VERSION=32
>
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPoli...
> VARIANT="Cloud Edition"
> VARIANT_ID=cloud
>
>Thank you.
>
>--
>Chintan Mishra
>Rebhu Computing
>
>_______________________________________________
>Podman mailing list -- podman(a)lists.podman.io
>To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io