8:16 p.m.
People,
I want to have a MTA running from a container but is it possible for the
containerised MTA:
1. to deliver mails to users on the host's file system dir (eg
/home/user/Maildir)?
2. to have access to the host's:
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
files for users who are logging in to the host to look at their mails?
Thanks,
Phil.
--
Philip Rhoades
PO Box 896
Cowra NSW 2794
Australia
E-mail: phil(a)pricom.com.au
10:23 p.m.
New subject: 2 Questions re a Container having access to the Host's file system - SUCCESS for 1/2
People,
On 2020-03-23 12:16, Philip Rhoades wrote:
People,
I want to have a MTA running from a container but is it possible for
the containerised MTA:
1. to deliver mails to users on the host's file system dir (eg
/home/user/Maildir)?
2. to have access to the host's:
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
files for users who are logging in to the host to look at their mails?
I worked out that I could use the run "-v" switch to answer Q #1
Thanks,
Phil.
--
Philip Rhoades
PO Box 896
Cowra NSW 2794
Australia
E-mail: phil(a)pricom.com.au
7:47 a.m.
New subject: 2 Questions re a Container having access to the Host's file system - SUCCESS for 1/2
On 3/22/20 23:23, Philip Rhoades wrote:
People,
On 2020-03-23 12:16, Philip Rhoades wrote:
> People,
>
> I want to have a MTA running from a container but is it possible for
> the containerised MTA:
>
> 1. to deliver mails to users on the host's file system dir (eg
> /home/user/Maildir)?
>
> 2. to have access to the host's:
>
> /etc/passwd
> /etc/shadow
> /etc/group
> /etc/gshadow
>
> files for users who are logging in to the host to look at their mails?
I worked out that I could use the run "-v" switch to answer Q #1
Thanks,
Phil.
Something like
# podman run --security-opt label:disable -v /etc:/etc:ro -v /home/home
... MTAIMAGE ...
Might work.
Or you would have to get more fine grained on /etc mounts.
2:50 p.m.
New subject: 2 Questions re a Container having access to the Host's file system - SUCCESS for 1/2
I always have a bad feeling about mounting /etc :-( Personally, I prefer
creating a directory in /src for everything. This is what I use for my wiki:
#!/bin/bash
podman run -d --read-only -p 80:80 --name learn.fatherlinux.com \
-v /srv/
learn.fatherlinux.com/code/mediawiki:/var/www/html/learn.fatherlinux.com:Z \
-v /srv/
learn.fatherlinux.com/config/LocalSettings.php:/var/www/html/learn.father...
\
-v /srv/
learn.fatherlinux.com/config/learn.fatherlinux.com.conf:/etc/httpd/conf.d...
\
-v /srv/learn.fatherlinux.com/config/htpasswd:/etc/httpd/conf.d/htpasswd:Z \
-v /srv/learn.fatherlinux.com/data/mariadb/:/var/lib/mysql:Z \
-v /srv/
learn.fatherlinux.com/data/images/:/var/www/html/learn.fatherlinux.com/im...
\
-v /srv/
learn.fatherlinux.com/data/skins/:/var/www/html/learn.fatherlinux.com/ski...
\
--tmpfs /etc \
--tmpfs /var/log/ \
--tmpfs /var/tmp \
localhost/wiki
Best Regards
Scott M
On Mon, Mar 23, 2020 at 8:48 AM Daniel Walsh <dwalsh(a)redhat.com> wrote:
On 3/22/20 23:23, Philip Rhoades wrote:
> People,
>
>
> On 2020-03-23 12:16, Philip Rhoades wrote:
>> People,
>>
>> I want to have a MTA running from a container but is it possible for
>> the containerised MTA:
>>
>> 1. to deliver mails to users on the host's file system dir (eg
>> /home/user/Maildir)?
>>
>> 2. to have access to the host's:
>>
>> /etc/passwd
>> /etc/shadow
>> /etc/group
>> /etc/gshadow
>>
>> files for users who are logging in to the host to look at their mails?
>
>
> I worked out that I could use the run "-v" switch to answer Q #1
>
> Thanks,
>
> Phil.
>
Something like
# podman run --security-opt label:disable -v /etc:/etc:ro -v /home/home
... MTAIMAGE ...
Might work.
Or you would have to get more fine grained on /etc mounts.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
--
--
Scott McCarty, RHCA
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty(a)redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com
Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:
https://red.ht/2TvYo3Y
3:09 p.m.
New subject: 2 Questions re a Container having access to the Host's file system - SUCCESS for 1/2
Sure that is much safer, especially where there could be conflicting
config files.
I was going for easy and quick test. But yours is better from a
security as well as a supportablity point of view.
On 3/23/20 15:50, Scott McCarty wrote:
I always have a bad feeling about mounting /etc :-( Personally, I
prefer creating a directory in /src for everything. This is what I use
for my wiki:
#!/bin/bash
podman run -d --read-only -p 80:80 --name learn.fatherlinux.com
<http://learn.fatherlinux.com> \
-v
/srv/learn.fatherlinux.com/code/mediawiki:/var/www/html/learn.fatherlinux.com:Z
<http://learn.fatherlinux.com/code/mediawiki:/var/www/html/learn.fatherlin...
\
-v
/srv/learn.fatherlinux.com/config/LocalSettings.php:/var/www/html/learn.fatherlinux.com/LocalSettings.php:Z
<http://learn.fatherlinux.com/config/LocalSettings.php:/var/www/html/learn...
\
-v
/srv/learn.fatherlinux.com/config/learn.fatherlinux.com.conf:/etc/httpd/conf.d/learn.fatherlinux.com.conf:Z
<http://learn.fatherlinux.com/config/learn.fatherlinux.com.conf:/etc/httpd...
\
-v
/srv/learn.fatherlinux.com/config/htpasswd:/etc/httpd/conf.d/htpasswd:Z
<http://learn.fatherlinux.com/config/htpasswd:/etc/httpd/conf.d/htpasswd:Z...
\
-v /srv/learn.fatherlinux.com/data/mariadb/:/var/lib/mysql:Z
<http://learn.fatherlinux.com/data/mariadb/:/var/lib/mysql:Z> \
-v
/srv/learn.fatherlinux.com/data/images/:/var/www/html/learn.fatherlinux.com/images:Z
<http://learn.fatherlinux.com/data/images/:/var/www/html/learn.fatherlinux...
\
-v
/srv/learn.fatherlinux.com/data/skins/:/var/www/html/learn.fatherlinux.com/skins:Z
<http://learn.fatherlinux.com/data/skins/:/var/www/html/learn.fatherlinux....
\
--tmpfs /etc \
--tmpfs /var/log/ \
--tmpfs /var/tmp \
localhost/wiki
Best Regards
Scott M
On Mon, Mar 23, 2020 at 8:48 AM Daniel Walsh <dwalsh(a)redhat.com
<mailto:dwalsh@redhat.com>> wrote:
On 3/22/20 23:23, Philip Rhoades wrote:
> People,
>
>
> On 2020-03-23 12:16, Philip Rhoades wrote:
>> People,
>>
>> I want to have a MTA running from a container but is it
possible for
>> the containerised MTA:
>>
>> 1. to deliver mails to users on the host's file system dir (eg
>> /home/user/Maildir)?
>>
>> 2. to have access to the host's:
>>
>> /etc/passwd
>> /etc/shadow
>> /etc/group
>> /etc/gshadow
>>
>> files for users who are logging in to the host to look at their
mails?
>
>
> I worked out that I could use the run "-v" switch to answer Q #1
>
> Thanks,
>
> Phil.
>
Something like
# podman run --security-opt label:disable -v /etc:/etc:ro -v
/home/home
... MTAIMAGE ...
Might work.
Or you would have to get more fine grained on /etc mounts.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
<mailto:podman@lists.podman.io>
To unsubscribe send an email to podman-leave(a)lists.podman.io
<mailto:podman-leave@lists.podman.io>
--
--
Scott McCarty, RHCA Product Management - Containers, Red Hat
Enterprise Linux & OpenShift Email: smccarty(a)redhat.com
<mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: 330-807-1043
Web: http://crunchtools.com
Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:
https://red.ht/2TvYo3Y
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
5:29 p.m.
New subject: 2 Questions re a Container having access to the Host's file system - SUCCESS for 1/2
Daniel, Scott, Giuseppe, Bryan,
Thanks for all the great suggestions people!
P.
On 2020-03-23 14:23, Philip Rhoades wrote:
People,
On 2020-03-23 12:16, Philip Rhoades wrote:
> People,
>
> I want to have a MTA running from a container but is it possible for
> the containerised MTA:
>
> 1. to deliver mails to users on the host's file system dir (eg
> /home/user/Maildir)?
>
> 2. to have access to the host's:
>
> /etc/passwd
> /etc/shadow
> /etc/group
> /etc/gshadow
>
> files for users who are logging in to the host to look at their mails?
I worked out that I could use the run "-v" switch to answer Q #1
Thanks,
Phil.
--
Philip Rhoades
PO Box 896
Cowra NSW 2794
Australia
E-mail: phil(a)pricom.com.au
8:39 a.m.
New subject: 2 Questions re a Container having access to the Host's file system
It's possible, but it would require running the container in a privileged
mode. It would essentially mitigate any security benefit you get from
running the MTA in containers.
I would recommend copying all of these files into a directory in /srv
dedicated to the service (in this case the MTA). For example, I would
create a directory structure something like:
/srv/mail.example.com/etc/passwd
/srv/mail.example.com/etc/shadow
/srv/mail.example.com/etc/etc/group
/srv/mail.example.com/etc/etc/gshadow
/srv/mail.example.com/etc/home/user/Maildir
Then, I would bind mount each of these in. This is what I do for Mediawiki,
MySQL, and Wordpress. Sadly, I don't think I've created a GitHub repo to
show people how to do it.
Personally, I also run systemd in the container (because I hate reverse
engineering startup scripts) and I run the whole thing read-only. IMHO,
thisngives me a balance of security and convenience.
If you don't run systemd, you could even run rootless.
Best Regards
Scott M
On Sun, Mar 22, 2020, 9:18 PM Philip Rhoades <phil(a)pricom.com.au> wrote:
People,
I want to have a MTA running from a container but is it possible for the
containerised MTA:
1. to deliver mails to users on the host's file system dir (eg
/home/user/Maildir)?
2. to have access to the host's:
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
files for users who are logging in to the host to look at their mails?
Thanks,
Phil.
--
Philip Rhoades
PO Box 896
Cowra NSW 2794
Australia
E-mail: phil(a)pricom.com.au
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
9:29 a.m.
New subject: 2 Questions re a Container having access to the Host's file system
Scott McCarty <smccarty(a)redhat.com> writes:
Personally, I also run systemd in the container (because I hate
reverse engineering startup scripts) and I run the whole thing read-only. IMHO, thisngives
me a balance of
security and convenience.
If you don't run systemd, you could even run rootless.
systemd should work fine with rootless containers too.
Giuseppe
9:39 a.m.
New subject: 2 Questions re a Container having access to the Host's file system
Excellent post Scott, showing best practice. I think we need more like this
On Mon, 23 Mar 2020, 13:46 Scott McCarty, <smccarty(a)redhat.com> wrote:
It's possible, but it would require running the container in a
privileged
mode. It would essentially mitigate any security benefit you get from
running the MTA in containers.
I would recommend copying all of these files into a directory in /srv
dedicated to the service (in this case the MTA). For example, I would
create a directory structure something like:
/srv/mail.example.com/etc/passwd
/srv/mail.example.com/etc/shadow
/srv/mail.example.com/etc/etc/group
/srv/mail.example.com/etc/etc/gshadow
/srv/mail.example.com/etc/home/user/Maildir
Then, I would bind mount each of these in. This is what I do for
Mediawiki, MySQL, and Wordpress. Sadly, I don't think I've created a GitHub
repo to show people how to do it.
Personally, I also run systemd in the container (because I hate reverse
engineering startup scripts) and I run the whole thing read-only. IMHO,
thisngives me a balance of security and convenience.
If you don't run systemd, you could even run rootless.
Best Regards
Scott M
On Sun, Mar 22, 2020, 9:18 PM Philip Rhoades <phil(a)pricom.com.au> wrote:
> People,
>
> I want to have a MTA running from a container but is it possible for the
> containerised MTA:
>
> 1. to deliver mails to users on the host's file system dir (eg
> /home/user/Maildir)?
>
> 2. to have access to the host's:
>
> /etc/passwd
> /etc/shadow
> /etc/group
> /etc/gshadow
>
> files for users who are logging in to the host to look at their mails?
>
> Thanks,
>
> Phil.
> --
> Philip Rhoades
>
> PO Box 896
> Cowra NSW 2794
> Australia
> E-mail: phil(a)pricom.com.au
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
1875
days inactive
1875
days old
8 comments
5 participants
participants (5)
-
Bryan Hepworth -
Daniel Walsh -
Giuseppe Scrivano -
Philip Rhoades -
Scott McCarty