11:01 a.m.
Hi,
I have been trying to get podman to work with systemd.
I have a pod with 4 containers inside, along with the pause container, and
I have generated systemd unit files using the command 'podman generate
systemd --files'.
If I place the generated files into the /etc/systemd/user/ directory, then
they run as expected, using the 'systemctl --user enable --now' command.
If I place them into the /etc/systemd/system directory they do not run.
This is as I expected, since the files are all in the standard user's home
directory, as are the volume mounts.
However, although I want them to run in the context of a standard user, I
am concerned that if some hacker breaks out into my system then because the
command to stop and start systemd unit user files will be available to
them, then they can stop the running pod as a standard user, and my server
and django site will be down. It's as simple as 'systemctl --user stop
pod-xxx.service.
I discussed the issue briefly with velix on the irc podman chat, he
suggested I use system groups. However, no matter how I configure my pod
and container unit files, and whether or not I use 'loginctl enable-linger'
I cannot get the pod to start.
I have read that it is possible to start podman-containers having placed
the unit files inside the /etc/systemd/system directory, which would mean
that any command to stop the pod would be followed by the systemd bringing
them back up, and the systemctl command to manipulate the pod wouldn't be
available to the standard user.
So, what is the most secure way of starting the containers, in such a way,
if possible, that should some influence gain unprivileged access, they
cannot stop the pod.
MTIA
James
--
James Stewart Miller Bsc(hons) Psych.