9:19 a.m.
Dear all,
I started with Docker a few weeks ago and understood security issues
coming from the root daemon. I saw that podman was close to Doker (and
it is true, my Dockerfiles worked without modification) and solved this
security issue.
With podman, things work well as long as I use my images / containers
in root mode, using sudo. However nothing works in user mode.
I guess that for security reasons, it would be better, by far, to run
containers in user mode. And I cannot understand how it works.
In root mode, typing "ip a" exhibits an eth0 network card, with an
ip. And when I use this ip with the considered port fron the outside
of the container (i.e. from the main OS), it works
In rootless mode, the same command gives a tap0 interface instead,
with another ip on another sob network I guess.
now if I force the usage of the podman network (in rootless mode),
with --network podman, now I get a eth0 network interface, on the same
sub network as in root mode. It seems to correspond to the cni-podman0
network on the host OS.
However, when I do :
telnet 10.88.0.02 8080
from the podman container, it works, whereas from the host OS, it does
not work, whereas the interface responds to ping from the host.
Can someone help ?
Regards,
Mike
1:04 p.m.
I think perhaps nobody's replied because we don't have enough
environment details. Such as what OS and version, and what version of
podman is this. It looks like you're using CNI networking, so I'm
guessing this is an older version of podman.
In any case, I am not an expert in these things. But I do find it odd
that you would need/want to use the main 'podman' bridge as a rootless
user in this way. Normally rootless networking works quite well with
slirp4netns. So perhaps figuring out why it's not, is a good starting
place?
Otherwise, more details about the environment and what you're trying to
accomplish would help us answer your questions better.
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
Nearly all opportunities, can only be achieved in the future.
On 8/23/22 09:19, Mikhaël MYARA wrote:
Dear all,
I started with Docker a few weeks ago and understood security issues
coming from the root daemon. I saw that podman was close to Doker (and
it is true, my Dockerfiles worked without modification) and solved this
security issue.
With podman, things work well as long as I use my images / containers
in root mode, using sudo. However nothing works in user mode.
I guess that for security reasons, it would be better, by far, to run
containers in user mode. And I cannot understand how it works.
In root mode, typing "ip a" exhibits an eth0 network card, with an
ip. And when I use this ip with the considered port fron the outside of
the container (i.e. from the main OS), it works
In rootless mode, the same command gives a tap0 interface instead,
with another ip on another sob network I guess.
now if I force the usage of the podman network (in rootless mode),
with --network podman, now I get a eth0 network interface, on the same
sub network as in root mode. It seems to correspond to the cni-podman0
network on the host OS.
However, when I do :
telnet 10.88.0.02 8080
from the podman container, it works, whereas from the host OS, it does
not work, whereas the interface responds to ping from the host.
Can someone help ?
Regards,
Mike
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
1:27 p.m.
Chris, Thanks a lot for your answer !
I finally understood that with podman the concept of "pod" + exposed
ports solved what I wanted to do, it works perfectly : at the time I
did write the first email, I used podman exactly like I used docker and
didn't know about "pods". It is of course a bit frustrating not to have
understood these differend kinds of network managements, in root or
rootless mode, but at the moment it is not a real problem for what I do
work on. I guess my knowledge of networks in root or user mode with
linux is too superficial, and that fact explains my problems with that.
But again, I have a practical solution : pods, that solves perfectly my
problem.
So everythinkg is ok for me. To answer your question, I work on ubuntu
22.04 with the last supported version for ubuntu, that is podman 3.3.4.
But for the time being, my problem is solved.
However I wanted to ask (if I can) about rootless design : by default,
servers working with ports below 1024 can only run root mode. The
system can however be configured to overcome that, but I guess that if
there is this protection by default it is for a good reason, even if I
don't know it. So the ports I expose, outside the pod, on the local
host of my ubuntu host, are always > 1024. For example, let's say I use
the :80 inside a container with nginx. I do expose it as :10080. Then,
to get nginx on port :80 of the physical network card, I do it IP
tables, that I configure in root mode of course. Is it a good practice
or is it unusefully "complex" ? Or is there any better practice to do
that ?
Best Regards,
Mike
Le ven., sept. 9 2022 at 13:04:05 -0400, Chris Evich
<cevich(a)redhat.com> a écrit :
I think perhaps nobody's replied because we don't have enough
environment details. Such as what OS and version, and what version of
podman is this. It looks like you're using CNI networking, so I'm
guessing this is an older version of podman.
In any case, I am not an expert in these things. But I do find it odd
that you would need/want to use the main 'podman' bridge as a rootless
user in this way. Normally rootless networking works quite well with
slirp4netns. So perhaps figuring out why it's not, is a good starting
place?
Otherwise, more details about the environment and what you're trying
to
accomplish would help us answer your questions better.
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
Nearly all opportunities, can only be achieved in the future.
On 8/23/22 09:19, Mikhaël MYARA wrote:
> Dear all,
>
> I started with Docker a few weeks ago and understood security
> issues
> coming from the root daemon. I saw that podman was close to Doker
> (and
> it is true, my Dockerfiles worked without modification) and solved
> this
> security issue.
>
> With podman, things work well as long as I use my images /
> containers
> in root mode, using sudo. However nothing works in user mode.
>
> I guess that for security reasons, it would be better, by far, to
> run
> containers in user mode. And I cannot understand how it works.
>
> In root mode, typing "ip a" exhibits an eth0 network card, with
> an
> ip. And when I use this ip with the considered port fron the
> outside of
> the container (i.e. from the main OS), it works
> In rootless mode, the same command gives a tap0 interface instead,
> with another ip on another sob network I guess.
>
> now if I force the usage of the podman network (in rootless
> mode),
> with --network podman, now I get a eth0 network interface, on the
> same
> sub network as in root mode. It seems to correspond to the
> cni-podman0
> network on the host OS.
> However, when I do :
> telnet 10.88.0.02 8080
> from the podman container, it works, whereas from the host OS, it
> does
> not work, whereas the interface responds to ping from the host.
> Can someone help ?
>
> Regards,
> Mike
>
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> <mailto:podman@lists.podman.io>
> To unsubscribe send an email to podman-leave(a)lists.podman.io
> <mailto:podman-leave@lists.podman.io>
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
<mailto:podman@lists.podman.io>
To unsubscribe send an email to podman-leave(a)lists.podman.io
<mailto:podman-leave@lists.podman.io>
5:35 a.m.
Hi Mikhaël,
I created some slides[1] last year to explain how rootless networking works.
However I wanted to ask (if I can) about rootless design : by default,
servers working with ports below 1024 can only run root mode. The
system
can however be configured to overcome that, but I guess that if there is
this protection by default it is for a good reason, even if I don't know
it. So the ports I expose, outside the pod, on the local host of my ubuntu
host, are always > 1024. For example, let's say I use the :80 inside a
container with nginx. I do expose it as :10080. Then, to get nginx on port
:80 of the physical network card, I do it IP tables, that I configure in
root mode of course. Is it a good practice or is it unusefully "complex" ?
Or is there any better practice to do that ?
I think redirecting with iptables or some other firewall frontend is fine.
[1]
https://podman.io/community/meeting/notes/2021-10-05/Podman-Rootless-Netw...
Paul
On Fri, Sep 9, 2022 at 7:29 PM Mikhaël MYARA <
mikhael.myara(a)ies.univ-montp2.fr> wrote:
> Chris, Thanks a lot for your answer !
>
> I finally understood that with podman the concept of "pod" + exposed ports
> solved what I wanted to do, it works perfectly : at the time I did write
> the first email, I used podman exactly like I used docker and didn't know
> about "pods". It is of course a bit frustrating not to have understood
> these differend kinds of network managements, in root or rootless mode, but
> at the moment it is not a real problem for what I do work on. I guess my
> knowledge of networks in root or user mode with linux is too superficial,
> and that fact explains my problems with that. But again, I have a practical
> solution : pods, that solves perfectly my problem.
>
> So everythinkg is ok for me. To answer your question, I work on ubuntu
> 22.04 with the last supported version for ubuntu, that is podman 3.3.4. But
> for the time being, my problem is solved.
>
> However I wanted to ask (if I can) about rootless design : by default,
servers working with ports below 1024 can only run root mode. The
system
can however be configured to overcome that, but I guess that if there is
this protection by default it is for a good reason, even if I don't know
it. So the ports I expose, outside the pod, on the local host of my ubuntu
host, are always > 1024. For example, let's say I use the :80 inside a
container with nginx. I do expose it as :10080. Then, to get nginx on port
:80 of the physical network card, I do it IP tables, that I configure in
root mode of course. Is it a good practice or is it unusefully "complex" ?
Or is there any better practice to do that ?
> Best Regards,
> Mike
>
> Le ven., sept. 9 2022 at 13:04:05 -0400, Chris Evich <cevich(a)redhat.com>
> a écrit :
>
> I think perhaps nobody's replied because we don't have enough environment
> details. Such as what OS and version, and what version of podman is this.
> It looks like you're using CNI networking, so I'm guessing this is an older
> version of podman. In any case, I am not an expert in these things. But I
> do find it odd that you would need/want to use the main 'podman' bridge as
> a rootless user in this way. Normally rootless networking works quite well
> with slirp4netns. So perhaps figuring out why it's not, is a good starting
> place? Otherwise, more details about the environment and what you're trying
> to accomplish would help us answer your questions better. Chris Evich
> (he/him), RHCA III Senior Quality Assurance Engineer Nearly all
> opportunities, can only be achieved in the future. On 8/23/22 09:19,
> Mikhaël MYARA wrote:
>
> Dear all, I started with Docker a few weeks ago and understood security
> issues coming from the root daemon. I saw that podman was close to Doker
> (and it is true, my Dockerfiles worked without modification) and solved
> this security issue. With podman, things work well as long as I use my
> images / containers in root mode, using sudo. However nothing works in user
> mode. I guess that for security reasons, it would be better, by far, to
> run containers in user mode. And I cannot understand how it works. In
> root mode, typing "ip a" exhibits an eth0 network card, with an ip. And
> when I use this ip with the considered port fron the outside of the
> container (i.e. from the main OS), it works In rootless mode, the same
> command gives a tap0 interface instead, with another ip on another sob
> network I guess. now if I force the usage of the podman network (in
> rootless mode), with --network podman, now I get a eth0 network interface,
> on the same sub network as in root mode. It seems to correspond to the
> cni-podman0 network on the host OS. However, when I do : telnet
> 10.88.0.02 8080 from the podman container, it works, whereas from the host
> OS, it does not work, whereas the interface responds to ping from the
> host. Can someone help ? Regards, Mike
> _______________________________________________ Podman mailing list --
> podman(a)lists.podman.io To unsubscribe send an email to
> podman-leave(a)lists.podman.io
>
> _______________________________________________ Podman mailing list --
> podman(a)lists.podman.io To unsubscribe send an email to
> podman-leave(a)lists.podman.io
>
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
5:41 a.m.
Very nice document ! I did not find it when googling, perhaps didn't I
use the good keywords.
What missed me was simply : allow_host_loopback=true ! But "pods" are
better for what I do.
Another question : If I have several websites (80/443) with various
domain names, each one in a container. Is it a good solution to use a
proxy on the host in order to "route" the good name to the good
container port ?
Thanks a lot !
Mike
Le lun., sept. 12 2022 at 11:35:34 +0200, Paul Holzinger
<pholzing(a)redhat.com> a écrit :
Hi Mikhaël,
I created some slides[1] last year to explain how rootless networking
works.
> However I wanted to ask (if I can) about rootless design : by
> default, servers working with ports below 1024 can only run root
> mode. The system can however be configured to overcome that, but I
> guess that if there is this protection by default it is for a good
> reason, even if I don't know it. So the ports I expose, outside the
> pod, on the local host of my ubuntu host, are always > 1024. For
> example, let's say I use the :80 inside a container with nginx. I do
> expose it as :10080. Then, to get nginx on port :80 of the physical
> network card, I do it IP tables, that I configure in root mode of
> course. Is it a good practice or is it unusefully "complex" ? Or is
> there any better practice to do that ?
I think redirecting with iptables or some other firewall frontend is
fine.
[1]
<https://podman.io/community/meeting/notes/2021-10-05/Podman-Rootless-Netw...
Paul
On Fri, Sep 9, 2022 at 7:29 PM Mikhaël MYARA
<mikhael.myara(a)ies.univ-montp2.fr
<mailto:mikhael.myara@ies.univ-montp2.fr>> wrote:
> Chris, Thanks a lot for your answer !
>
> I finally understood that with podman the concept of "pod" + exposed
> ports solved what I wanted to do, it works perfectly : at the time I
> did write the first email, I used podman exactly like I used docker
> and didn't know about "pods". It is of course a bit frustrating not
> to have understood these differend kinds of network managements, in
> root or rootless mode, but at the moment it is not a real problem
> for what I do work on. I guess my knowledge of networks in root or
> user mode with linux is too superficial, and that fact explains my
> problems with that. But again, I have a practical solution : pods,
> that solves perfectly my problem.
>
> So everythinkg is ok for me. To answer your question, I work on
> ubuntu 22.04 with the last supported version for ubuntu, that is
> podman 3.3.4. But for the time being, my problem is solved.
>
> However I wanted to ask (if I can) about rootless design : by
> default, servers working with ports below 1024 can only run root
> mode. The system can however be configured to overcome that, but I
> guess that if there is this protection by default it is for a good
> reason, even if I don't know it. So the ports I expose, outside the
> pod, on the local host of my ubuntu host, are always > 1024. For
> example, let's say I use the :80 inside a container with nginx. I do
> expose it as :10080. Then, to get nginx on port :80 of the physical
> network card, I do it IP tables, that I configure in root mode of
> course. Is it a good practice or is it unusefully "complex" ? Or is
> there any better practice to do that ?
>
> Best Regards,
> Mike
>
> Le ven., sept. 9 2022 at 13:04:05 -0400, Chris Evich
> <cevich(a)redhat.com <mailto:cevich@redhat.com>> a écrit :
>>
>> I think perhaps nobody's replied because we don't have enough
>> environment details. Such as what OS and version, and what version
>> of
>> podman is this. It looks like you're using CNI networking, so I'm
>> guessing this is an older version of podman.
>>
>> In any case, I am not an expert in these things. But I do find it
>> odd
>> that you would need/want to use the main 'podman' bridge as a
>> rootless
>> user in this way. Normally rootless networking works quite well
>> with
>> slirp4netns. So perhaps figuring out why it's not, is a good
>> starting
>> place?
>>
>> Otherwise, more details about the environment and what you're
>> trying to
>> accomplish would help us answer your questions better.
>>
>>
>> Chris Evich (he/him), RHCA III
>> Senior Quality Assurance Engineer
>> Nearly all opportunities, can only be achieved in the future.
>>
>> On 8/23/22 09:19, Mikhaël MYARA wrote:
>>> Dear all,
>>>
>>> I started with Docker a few weeks ago and understood security
>>> issues
>>> coming from the root daemon. I saw that podman was close to Doker
>>> (and
>>> it is true, my Dockerfiles worked without modification) and solved
>>> this
>>> security issue.
>>>
>>> With podman, things work well as long as I use my images /
>>> containers
>>> in root mode, using sudo. However nothing works in user mode.
>>>
>>> I guess that for security reasons, it would be better, by far,
>>> to run
>>> containers in user mode. And I cannot understand how it works.
>>>
>>> In root mode, typing "ip a" exhibits an eth0 network card,
>>> with an
>>> ip. And when I use this ip with the considered port fron the
>>> outside of
>>> the container (i.e. from the main OS), it works
>>> In rootless mode, the same command gives a tap0 interface
>>> instead,
>>> with another ip on another sob network I guess.
>>>
>>> now if I force the usage of the podman network (in rootless
>>> mode),
>>> with --network podman, now I get a eth0 network interface, on the
>>> same
>>> sub network as in root mode. It seems to correspond to the
>>> cni-podman0
>>> network on the host OS.
>>> However, when I do :
>>> telnet 10.88.0.02 8080
>>> from the podman container, it works, whereas from the host OS, it
>>> does
>>> not work, whereas the interface responds to ping from the host.
>>> Can someone help ?
>>>
>>> Regards,
>>> Mike
>>>
>>> _______________________________________________
>>> Podman mailing list -- podman(a)lists.podman.io
>>> <mailto:podman@lists.podman.io>
>>> To unsubscribe send an email to podman-leave(a)lists.podman.io
>>> <mailto:podman-leave@lists.podman.io>
>> _______________________________________________
>> Podman mailing list -- podman(a)lists.podman.io
>> <mailto:podman@lists.podman.io>
>> To unsubscribe send an email to podman-leave(a)lists.podman.io
>> <mailto:podman-leave@lists.podman.io>
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> <mailto:podman@lists.podman.io>
> To unsubscribe send an email to podman-leave(a)lists.podman.io
> <mailto:podman-leave@lists.podman.io>
9:29 a.m.
On 9/9/22 13:27, Mikhaël MYARA wrote:
that I configure in root mode of course. Is it a good practice or is
it
unusefully "complex" ? Or is there any better practice to do that ?
Yeah, pods are the way to control resources shared among one or more
containers. They're also a small step toward Kubernetes, where pods are
very much central to operations. In any case, I'm glad you figured out
the issue.
Re: ports, yes, using SNAT redirects/forwarding is the way to go. This
also gives you flexibility for testing and implementing various
deployment strategies such as red-green or canary. i.e. you redirect
some of the traffic to an alternate (new) pod where you monitor for
function and failures.
---
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
Nearly all opportunities, can only be achieved in the future.
803
days inactive
823
days old
5 comments
3 participants
participants (3)
-
Chris Evich -
Mikhaël MYARA -
Paul Holzinger