[Podman] Re: SELinux

On 6/8/20 16:49, Hendrik Haddorp wrote: > Hi, > > has you are talking about SELinux support below. Is there a way to > prevent processes in a container to write to the disk or modify files? > Any example would be great. I found > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... > > but I want not able to restrict the disk access and still be able to > start the container. > > thanks, > Hendrik $ podman run --read-only -ti fedora sh # id uid=0(root) gid=0(root) groups=0(root) # touch /dan touch: cannot touch '/dan': Read-only file system # The only place the container is able to write is to tmpfs mounted in the container. > On 6/8/20 10:19 PM, Daniel Walsh wrote: >> On 6/8/20 07:00, Anders F Björklund wrote: >>> Erik Sjölund wrote: >>>> Regarding the email thread: >>>> "We are working on creating a FAQ for Podman" >>>> >>>> I'm curious about the question: >>>> What are the main differences between Podman and Singularity? >>>> >>>> I think in the academic world Singularity has become quite popular. >>>> >>>> The PhD students in my work place build the SIF (Singularity Image >>>> Format) file on their local computer and then copy it to the cluster >>>> with the scp command and run it there. (In some research HPC compute >>>> clusters they have installed Singularity) >>>> >>>> (Not so much of an answer but I tried to describe the situation where >>>> I get the question). >> Podman is getting quite Popular in the HPC world and competing against >> singularity. >> >> One major issue with Singularity recently is that it dropped >> "enterprise" support, and >> >> since RHEL supports Podman, customers are working with us on it. >> >> But in the opensource world people are also interested in moving HPC >> workloads to >> >> the OCI/Container world. >> >> We have added lots of features to make Podman more attractive to HPC.  A >> few of them >> >> being >> >> 1 Rootless Podman - HPC Customers want to run their containers with as >> little privilege as possible >> >> 2 ignore_chown_errors -  We added a field to containers/storage >> storage.conf to allow HPC Customers to setup >> >> their environments to be able to run any container from a container >> registry like quay.io or docker.io within a single UID.  Basically this >> flag tells containers/storage when it pulls and image and has a file not >> owned by root to ignore the error when it attempts to chown it to >> non-root.  This means the file remains owned by root of the >> usernamespace, meaning the users UID. >> >> 3. We have added support for containers.conf which allows administrators >> including HPC users, to customer the defaults of podman.  HPC users tend >> to want to run with limited namespaces and additional volumes mounted >> into their containers. >> >> >> We have several features in Podman that are better then signularity. >> Starting with working with the OCI World, better namespace support, >> better security with SELinux, SECCOMP, User namespace support. >> >>>> I agree, I have done some presentations on both Podman and >>>> Singularity. >>>> Will post the presentation links over at >>>> https://boot2podman.github.io/ >>>> >>>> Sometimes I think that Podman focuses too much on competing with >>>> Docker. >>>> And that Docker focuses more on Mac and Win (not Linux), these days... >> We want to be able to work in all domains.  As I stated above we have >> been working with the HPC Community, >> >> we are working on MAC/Windows support and continue to concentrate on >> linux features. >> >> But we are an opensource project, so we will work where the community >> takes us. >> >>>> /Anders >>>> _______________________________________________ >>>> Podman mailing list -- podman(a)lists.podman.io >>>> To unsubscribe send an email to podman-leave(a)lists.podman.io >> _______________________________________________ >> Podman mailing list -- podman(a)lists.podman.io >> To unsubscribe send an email to podman-leave(a)lists.podman.io > _______________________________________________ > Podman mailing list -- podman(a)lists.podman.io > To unsubscribe send an email to podman-leave(a)lists.podman.io _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io