6:30 a.m.
I've run into highly mysterious and randomly occurring issues with both
container-to-host and container-to-LAN PostgreSQL connections. It makes me suspect
something is awry with either Podman or Pasta networking, because running the same service
(a Django gunicorn process) bare metal under Supervisor using host-to-host or host-to-LAN
PostgreSQL connections doesn't exhibit this issue.
This post is not about that, though. To isolate what part of the system is causing the
issue, I need to set up a separate test server where I'll try moving away from Pasta
networking into host networking instead to verify that everything still works, and if it
does, move our servers facing the connection issues to use host networking.
I've read Erik Sjölund's excellent writeup at
https://github.com/eriksjolund/podman-networking-docs and the Medium post it linked to
claiming that host networking is insecure, at
https://medium.com/nttlabs/dont-use-host-network-namespace-f548aeeef575. It deals with
Docker and rootful containers, so immediately I'm thinking that the applicability to
rootless Podman is limited or nonexistent.
We use iptables and only expose SSH and nginx to the outside world. Any applications we
run in Pasta-networked rootless containers get reverse proxied with nginx. We only run the
actual applications in containers; things like PostgreSQL, nginx and Redis are all host
services. Pasta has been a boon to us by conveniently exposing ports bidirectionally
between container and host and preserving request IPs.
The basic question is: is host networking in rootless Podman any less secure than just
running the same services uncontainerized, directly on the host OS, as a non-root user?
Even if we exposed a rootless containerized service port directly to the outside world
without reverse proxying, I don't see how this would be any riskier with host
networking than it would be with bare metal. If the risk profile is the same or very
nearly the same as that, I consider that sufficient.