8:27 a.m.
On 2023-07-28T09:13:14 -0400
Daniel Walsh <dwalsh(a)redhat.com> wrote:
The issue with running all of your containers as a non root users, is if
every container runs as a non-root user, then the containers would be
allowed to attack the user account and every other container, if they
were to escape confinement (SELinux).
Hello!
I read back what I wrote and realized it was a bit ambiguous. To be
clear: I'm running each container as a separate non-root user; one user
ID per container (not one user ID shared between all containers).
Running containers with the least privs possible is always the goal,
but it really is up to the application.
This is where I'm still not entirely clear: Is running a container as
root with SELinux and with flags such as --unprivileged=false really
more powerful than as a regular user with the same kinds of flags?
I haven't heard of anyone escaping SELinux confinement, although I'm
guessing it has probably been done. I'd assume a kernel-level exploit
would probably be required and, in that case, running under a different
UID wouldn't help matters.
I've tried setting up machines with all of the containers running as
root, and it's certainly a lot less of an administrative burden. I run
my own registry so I'm not _too_ concerned about hostile images making
it into production containers.
I feel like there's a huge hole in the documentation around this
subject, and it's really weird that noone appears to be talking about
it. Fedora Server runs all containers as root if configured via
Cockpit, so presumably someone at least considered the issue?
--
Mark Raynsford | https://www.io7m.com