Hi Mikhaël,I created some slides[1] last year to explain how rootless networking works.However I wanted to ask (if I can) about rootless design : by default, servers working with ports below 1024 can only run root mode. The system can however be configured to overcome that, but I guess that if there is this protection by default it is for a good reason, even if I don't know it. So the ports I expose, outside the pod, on the local host of my ubuntu host, are always > 1024. For example, let's say I use the :80 inside a container with nginx. I do expose it as :10080. Then, to get nginx on port :80 of the physical network card, I do it IP tables, that I configure in root mode of course. Is it a good practice or is it unusefully "complex" ? Or is there any better practice to do that ?I think redirecting with iptables or some other firewall frontend is fine.PaulOn Fri, Sep 9, 2022 at 7:29 PM Mikhaël MYARA <mikhael.myara@ies.univ-montp2.fr> wrote:Chris, Thanks a lot for your answer !I finally understood that with podman the concept of "pod" + exposed ports solved what I wanted to do, it works perfectly : at the time I did write the first email, I used podman exactly like I used docker and didn't know about "pods". It is of course a bit frustrating not to have understood these differend kinds of network managements, in root or rootless mode, but at the moment it is not a real problem for what I do work on. I guess my knowledge of networks in root or user mode with linux is too superficial, and that fact explains my problems with that. But again, I have a practical solution : pods, that solves perfectly my problem.So everythinkg is ok for me. To answer your question, I work on ubuntu 22.04 with the last supported version for ubuntu, that is podman 3.3.4. But for the time being, my problem is solved.However I wanted to ask (if I can) about rootless design : by default, servers working with ports below 1024 can only run root mode. The system can however be configured to overcome that, but I guess that if there is this protection by default it is for a good reason, even if I don't know it. So the ports I expose, outside the pod, on the local host of my ubuntu host, are always > 1024. For example, let's say I use the :80 inside a container with nginx. I do expose it as :10080. Then, to get nginx on port :80 of the physical network card, I do it IP tables, that I configure in root mode of course. Is it a good practice or is it unusefully "complex" ? Or is there any better practice to do that ?Best Regards,Mike_______________________________________________
Le ven., sept. 9 2022 at 13:04:05 -0400, Chris Evich <cevich@redhat.com> a écrit :I think perhaps nobody's replied because we don't have enough environment details. Such as what OS and version, and what version of podman is this. It looks like you're using CNI networking, so I'm guessing this is an older version of podman. In any case, I am not an expert in these things. But I do find it odd that you would need/want to use the main 'podman' bridge as a rootless user in this way. Normally rootless networking works quite well with slirp4netns. So perhaps figuring out why it's not, is a good starting place? Otherwise, more details about the environment and what you're trying to accomplish would help us answer your questions better. Chris Evich (he/him), RHCA III Senior Quality Assurance Engineer Nearly all opportunities, can only be achieved in the future. On 8/23/22 09:19, Mikhaël MYARA wrote:Dear all, I started with Docker a few weeks ago and understood security issues coming from the root daemon. I saw that podman was close to Doker (and it is true, my Dockerfiles worked without modification) and solved this security issue. With podman, things work well as long as I use my images / containers in root mode, using sudo. However nothing works in user mode. I guess that for security reasons, it would be better, by far, to run containers in user mode. And I cannot understand how it works. In root mode, typing "ip a" exhibits an eth0 network card, with an ip. And when I use this ip with the considered port fron the outside of the container (i.e. from the main OS), it works In rootless mode, the same command gives a tap0 interface instead, with another ip on another sob network I guess. now if I force the usage of the podman network (in rootless mode), with --network podman, now I get a eth0 network interface, on the same sub network as in root mode. It seems to correspond to the cni-podman0 network on the host OS. However, when I do : telnet 10.88.0.02 8080 from the podman container, it works, whereas from the host OS, it does not work, whereas the interface responds to ping from the host. Can someone help ? Regards, Mike _______________________________________________ Podman mailing list -- podman@lists.podman.io To unsubscribe send an email to podman-leave@lists.podman.io_______________________________________________ Podman mailing list -- podman@lists.podman.io To unsubscribe send an email to podman-leave@lists.podman.io
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io