[Podman] Re: SELinux

Hi, has you are talking about SELinux support below. Is there a way to prevent processes in a container to write to the disk or modify files? Any example would be great. I found https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... but I want not able to restrict the disk access and still be able to start the container. thanks, Hendrik

On 6/8/20 10:19 PM, Daniel Walsh wrote: > On 6/8/20 07:00, Anders F Björklund wrote: >> Erik Sjölund wrote: >>> Regarding the email thread: >>> "We are working on creating a FAQ for Podman" >>> >>> I'm curious about the question: >>> What are the main differences between Podman and Singularity? >>> >>> I think in the academic world Singularity has become quite popular. >>> >>> The PhD students in my work place build the SIF (Singularity Image >>> Format) file on their local computer and then copy it to the cluster >>> with the scp command and run it there. (In some research HPC compute >>> clusters they have installed Singularity) >>> >>> (Not so much of an answer but I tried to describe the situation where >>> I get the question). > Podman is getting quite Popular in the HPC world and competing against > singularity. > > One major issue with Singularity recently is that it dropped > "enterprise" support, and > > since RHEL supports Podman, customers are working with us on it. > > But in the opensource world people are also interested in moving HPC > workloads to > > the OCI/Container world. > > We have added lots of features to make Podman more attractive to HPC.  A > few of them > > being > > 1 Rootless Podman - HPC Customers want to run their containers with as > little privilege as possible > > 2 ignore_chown_errors -  We added a field to containers/storage > storage.conf to allow HPC Customers to setup > > their environments to be able to run any container from a container > registry like quay.io or docker.io within a single UID.  Basically this > flag tells containers/storage when it pulls and image and has a file not > owned by root to ignore the error when it attempts to chown it to > non-root.  This means the file remains owned by root of the > usernamespace, meaning the users UID. > > 3. We have added support for containers.conf which allows administrators > including HPC users, to customer the defaults of podman.  HPC users tend > to want to run with limited namespaces and additional volumes mounted > into their containers. > > > We have several features in Podman that are better then signularity. > Starting with working with the OCI World, better namespace support, > better security with SELinux, SECCOMP, User namespace support. > >>> I agree, I have done some presentations on both Podman and >>> Singularity. >>> Will post the presentation links over at >>> https://boot2podman.github.io/ >>> >>> Sometimes I think that Podman focuses too much on competing with >>> Docker. >>> And that Docker focuses more on Mac and Win (not Linux), these days... > We want to be able to work in all domains.  As I stated above we have > been working with the HPC Community, > > we are working on MAC/Windows support and continue to concentrate on > linux features. > > But we are an opensource project, so we will work where the community > takes us. > >>> /Anders >>> _______________________________________________ >>> Podman mailing list -- podman(a)lists.podman.io >>> To unsubscribe send an email to podman-leave(a)lists.podman.io > > _______________________________________________ > Podman mailing list -- podman(a)lists.podman.io > To unsubscribe send an email to podman-leave(a)lists.podman.io _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io