7:26 a.m.
colleague just presented me with this question ... he was following
an example that showed how, when started with docker, a process
running as root in the container was also running as root on the host.
the example he showed me was to fire up an alpine image, verify that
the user account was root inside the container, then start a "sleep
100" command, open another terminal on the host, and check the
properties of running sleep commands, whereupon he saw:
$ ps -fC sleep
UID ... CMD
root sleep 100
$
i did exactly the same thing on my fedora 31 system but i have docker
aliased to podman, and when i did the same thing, back on the host, i
got:
$ ps -fC sleep
UID PID PPID C STIME TTY TIME CMD
rpjday 24268 21319 0 08:23 pts/0 00:00:00 sleep 42
in short, while the sleep process was owned by root in the container,
on the host, it is clearly owned by me.
i wasn't sure how to explain that, other than to suggest that
podman, by default, doesn't map root in container to root on host. is
there an explanation i could point him to to understand why running
under podman behaved differently? thanks.
rday
3:07 p.m.
New subject: how podman differs from docker in ctr process running as root?
On 2020-01-18 08:26, Robert P. J. Day wrote:
colleague just presented me with this question ... he was following
an example that showed how, when started with docker, a process
running as root in the container was also running as root on the host.
the example he showed me was to fire up an alpine image, verify that
the user account was root inside the container, then start a "sleep
100" command, open another terminal on the host, and check the
properties of running sleep commands, whereupon he saw:
$ ps -fC sleep
UID ... CMD
root sleep 100
$
i did exactly the same thing on my fedora 31 system but i have docker
aliased to podman, and when i did the same thing, back on the host, i
got:
$ ps -fC sleep
UID PID PPID C STIME TTY TIME CMD
rpjday 24268 21319 0 08:23 pts/0 00:00:00 sleep 42
in short, while the sleep process was owned by root in the container,
on the host, it is clearly owned by me.
i wasn't sure how to explain that, other than to suggest that
podman, by default, doesn't map root in container to root on host. is
there an explanation i could point him to to understand why running
under podman behaved differently? thanks.
rday
It looks like you're running Podman without root here; your colleague
may be doing the same, but it's likely because he added his user to
the Docker group, giving him access to the Docker API socket. This
allows his user to connect to the Docker daemon, running as root, and
run containers with full root privileges (it's effectively the same as
giving a user passwordless sudo).
Podman, however, does not have a daemon. If you take a look at the
Podman binary, you're also notice that it's not setuid/setgid; when
Podman is run without root, we run containers with no added privileges
that the user who ran the container does not have. This is a major
security benefit (though there are certain things you can't do in a
rootless Podman container, such as making changes to the system that
would require root; some VPNs need to do this, for example).
Inside the container, you'll likely see that the command you're
running believes that it is UID 0, even though your `ps` command shows
that it is running as your user. This is thanks to user namespaces. We
map your user into the container as UID 0, which allows you to act as
root within the container. On the outside of the container, though,
the container process is still your user (which is why you can't make
system policy changes - normal security policy prevents unprivileged
users from doing these things, so the container running as your user
is no different).
If you were to run a Podman container as root using sudo or su, you'll
see that the container process is actually root on the system - no
user namespace is used, as we already have full privileges, and don't
need one.
I hope this answers your question, but feel free to ask follow-ups if
anything is unclear.
Thanks,
Matt Heon
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
1770
days inactive
1771
days old
1 comments
2 participants
participants (2)
-
Matt Heon -
Robert P. J. Day