[Podman] Re: 2 Questions re a Container having access to the Host's file system

It's possible, but it would require running the container in a privileged mode. It would essentially mitigate any security benefit you get from running the MTA in containers. I would recommend copying all of these files into a directory in /srv dedicated to the service (in this case the MTA). For example, I would create a directory structure something like: /srv/mail.example.com/etc/passwd /srv/mail.example.com/etc/shadow /srv/mail.example.com/etc/etc/group /srv/mail.example.com/etc/etc/gshadow /srv/mail.example.com/etc/home/user/Maildir Then, I would bind mount each of these in. This is what I do for Mediawiki, MySQL, and Wordpress. Sadly, I don't think I've created a GitHub repo to show people how to do it. Personally, I also run systemd in the container (because I hate reverse engineering startup scripts) and I run the whole thing read-only. IMHO, thisngives me a balance of security and convenience. If you don't run systemd, you could even run rootless. Best Regards Scott M On Sun, Mar 22, 2020, 9:18 PM Philip Rhoades <phil(a)pricom.com.au&gt; wrote: > People, > > I want to have a MTA running from a container but is it possible for the > containerised MTA: > > 1. to deliver mails to users on the host's file system dir (eg > /home/user/Maildir)? > > 2. to have access to the host's: > > /etc/passwd > /etc/shadow > /etc/group > /etc/gshadow > > files for users who are logging in to the host to look at their mails? > > Thanks, > > Phil. > -- > Philip Rhoades > > PO Box 896 > Cowra NSW 2794 > Australia > E-mail: phil(a)pricom.com.au > _______________________________________________ > Podman mailing list -- podman(a)lists.podman.io > To unsubscribe send an email to podman-leave(a)lists.podman.io > _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io