4:51 a.m.
On 7/31/23 15:26, Chris Evich wrote:
On 7/28/23 09:27, Mark Raynsford via Podman wrote:
> I read back what I wrote and realized it was a bit ambiguous. To be
> clear: I'm running each container as a separate non-root user; one user
> ID per container (not one user ID shared between all containers).
I think your architecture question is fascinating, and certainly a
topic I've been interested in. I agree wholeheartedly with Dan's
defense-in-depth philosophy, those are wise words to stand upon. This
is elegantly reflected by the architecture you've described (multiple
host users running rootless containers). Lots and lots of safety
layers there.
I also hear you loud and clear about this being a PITA to manage. My
experience is, it can get even trickier when you bring in something
like Ansible to "help" manage it :( Esp., as you also found, the
storage ownership mess very quickly gets out of hand.
---
Side-note: This is what prompted my earlier question to this list:
"Ansible `template` tasks and rootless podman volume content management"
---
In all cases, try to step back to first-principals: There's always a
push-and-pull between "security" vs "usability" (or "ease of
use",
"management", "convenience", etc.). Most often, you give up one to
get some of the other. Exceptions to this seem to be incredibly rare
(SELinux may be one from a user's POV).
So for an architecture like you described, perhaps it's simply past
the "reasonably practical" point. Maybe it's "okay" to use a
single
(host) user to run all the containers? You can still leverage pods to
segregate networking, cgroups for resources, and volumes to carve up
storage (with careful attention to your `:z` and `:Z`s).
I would also agree this is slightly "less safe". However, the
alternative may (unfortunately) be 100% secure: The system never gets
deployed at all, because it's simply too unwieldy for a human (and/or
Ansible) to manage.
I'm still curious to hear other opinions on this topic though.
---
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
If there's a "hard-way", I'm the first one to implement it.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
An easier way to do this would be to create a non root user with a huge
amount of UIDs And then run each container within that user with
Userns=auto. That would get you doing podman pulls without being root,
and have all of your containers isolated from each other with user
namespaces.