On 7/28/23 09:27, Mark Raynsford via Podman wrote:
I read back what I wrote and realized it was a bit ambiguous. To be
clear: I'm running each container as a separate non-root user; one user
ID per container (not one user ID shared between all containers).
I think your architecture question is fascinating, and certainly a topic
I've been interested in. I agree wholeheartedly with Dan's
defense-in-depth philosophy, those are wise words to stand upon. This
is elegantly reflected by the architecture you've described (multiple
host users running rootless containers). Lots and lots of safety layers
there.
I also hear you loud and clear about this being a PITA to manage. My
experience is, it can get even trickier when you bring in something like
Ansible to "help" manage it :( Esp., as you also found, the storage
ownership mess very quickly gets out of hand.
---
Side-note: This is what prompted my earlier question to this list:
"Ansible `template` tasks and rootless podman volume content management"
---
In all cases, try to step back to first-principals: There's always a
push-and-pull between "security" vs "usability" (or "ease of
use",
"management", "convenience", etc.). Most often, you give up one to
get
some of the other. Exceptions to this seem to be incredibly rare
(SELinux may be one from a user's POV).
So for an architecture like you described, perhaps it's simply past the
"reasonably practical" point. Maybe it's "okay" to use a single
(host)
user to run all the containers? You can still leverage pods to
segregate networking, cgroups for resources, and volumes to carve up
storage (with careful attention to your `:z` and `:Z`s).
I would also agree this is slightly "less safe". However, the
alternative may (unfortunately) be 100% secure: The system never gets
deployed at all, because it's simply too unwieldy for a human (and/or
Ansible) to manage.
I'm still curious to hear other opinions on this topic though.
---
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
If there's a "hard-way", I'm the first one to implement it.