The hostname and its requirement capabilities

[PedroRegisPOAR]

Jörg 'Mic92' Thalheim - About Nix sandboxes and breakpoints (NixCon 2018), start=903&end=916

Jörg 'Mic92' Thalheim - About Nix sandboxes and breakpoints (NixCon 2018), start=853&end=963

TODO: test it

podman run --user 100 --cap-add=DAC_OVERRIDE --privileged --rm busybox grep ^Cap /proc/self/

Refs.:

• [Rootless] --privileged does not grant SYS_ADMIN to non-UID-0 containers/podman#13449 (comment)

podman \
run \
--interactive=true \
--tty=false \
--cap-add=SYS_ADMIN \
docker.io/library/alpine \
sh \
<<'COMMANDS'
hostname

hostname abc123

hostname
COMMANDS

cat << 'EOF' > Dockerfile
FROM docker.io/library/alpine as test-hostname
RUN hostname && hostname abc123 && hostname
EOF

podman \
build \
--cap-add=SYS_ADMIN \
--file Dockerfile \
--target test-hostname \
--tag test-hostname \
.

Refs.:

• https://unix.stackexchange.com/questions/619312/why-wont-uts-private-allow-me-to-set-the-hostname
• https://docs.podman.io/en/stable/markdown/podman-build.1.html#cap-add-cap-xxx
• https://docs.podman.io/en/stable/markdown/podman-build.1.html#cap-drop-cap-xxx
• https://groups.google.com/g/linux.debian.bugs.dist/c/oCWUn3tVVw8/m/zWC9kS3KAAAJ

podman \
run \
--interactive=true \
--tty=false \
--cap-add=CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_DAC_READ_SEARCH,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_LINUX_IMMUTABLE,CAP_NET_BIND_SERVICE,CAP_NET_BROADCAST,CAP_NET_ADMIN,CAP_NET_RAW,CAP_IPC_LOCK,CAP_IPC_OWNER,CAP_SYS_MODULE,CAP_SYS_RAWIO,CAP_SYS_CHROOT,CAP_SYS_PTRACE,CAP_SYS_PACCT,CAP_SYS_BOOT,CAP_SYS_NICE,CAP_SYS_RESOURCE,CAP_SYS_TIME,CAP_SYS_TTY_CONFIG,CAP_MKNOD,CAP_LEASE,CAP_AUDIT_WRITE,CAP_AUDIT_CONTROL,CAP_SETFCAP,CAP_MAC_OVERRIDE,CAP_MAC_ADMIN,CAP_SYSLOG,CAP_WAKE_ALARM,CAP_BLOCK_SUSPEND,CAP_AUDIT_READ,CAP_PERFMON,CAP_BPF,CAP_CHECKPOINT_RESTORE \
docker.io/library/alpine \
sh \
<<'COMMANDS'
hostname

hostname abc123

hostname
COMMANDS

podman \
run \
--interactive=true \
--tty=false \
--uts=private \
--net=private \
docker.io/library/alpine \
sh \
<<'COMMANDS'
hostname

hostname abc123

hostname
COMMANDS

Magic command:

podman run --privileged=true --user 1234 fedora:36 sh -c 'capsh --print | grep Bounding | cut -d= -f2 | tr a-z A-Z'

podman \
run \
--interactive=true \
--tty=false \
--privileged=true \
--user=1234 \
fedora:36 sh \
<<'COMMANDS'
capsh --print | grep Bounding | cut -d= -f2 | tr a-z A-Z | tr ',' '\n' | sort -h
COMMANDS

CAP_AUDIT_CONTROL
CAP_AUDIT_READ
CAP_AUDIT_WRITE
CAP_BLOCK_SUSPEND
CAP_BPF
CAP_CHECKPOINT_RESTORE
CAP_CHOWN
CAP_DAC_OVERRIDE
CAP_DAC_READ_SEARCH
CAP_FOWNER
CAP_FSETID
CAP_IPC_LOCK
CAP_IPC_OWNER
CAP_KILL
CAP_LEASE
CAP_LINUX_IMMUTABLE
CAP_MAC_ADMIN
CAP_MAC_OVERRIDE
CAP_MKNOD
CAP_NET_ADMIN
CAP_NET_BIND_SERVICE
CAP_NET_BROADCAST
CAP_NET_RAW
CAP_PERFMON
CAP_SETFCAP
CAP_SETGID
CAP_SETPCAP
CAP_SETUID
CAP_SYSLOG
CAP_SYS_ADMIN
CAP_SYS_BOOT
CAP_SYS_CHROOT
CAP_SYS_MODULE
CAP_SYS_NICE
CAP_SYS_PACCT
CAP_SYS_PTRACE
CAP_SYS_RAWIO
CAP_SYS_RESOURCE
CAP_SYS_TIME
CAP_SYS_TTY_CONFIG
CAP_WAKE_ALARM

It would be so easy, but it is broken:

podman \
run \
-it \
--rm \
-u podman \
quay.io/podman/stable \
bash \
-c \
'podman run --privileged=true -it --rm -v /proc/:/proc ubuntu:22.04 bash -c "hostname foo-bar"'

[PedroRegisPOAR]

xhost + \
&& { podman \
run \
--cap-add=SYS_ADMIN \
--device=/dev/kvm \
--device=/dev/fuse \
--log-level=error \
--env="DISPLAY=${DISPLAY:-:0.0}" \
--env=PATH=/root/.nix-profile/bin:/usr/bin:/bin \
--interactive=true \
--privileged=false \
--tty=false \
--rm=true \
--user=0 \
--volume=/tmp/.X11-unix:/tmp/.X11-unix:ro \
--volume=/etc/localtime:/etc/localtime:ro \
--volume="$(pwd)":/code \
--workdir=/code \
docker.io/nixpkgs/nix-flakes \
<< COMMANDS
nix \
profile \
install \
nixpkgs#nettools \
nixpkgs#coreutils \
nixpkgs#xorg.xclock \
nixpkgs#file


timeout 10 xclock || test $? -eq 124 || echo 'Error, some thing went wrong in xclock test!'


hostname

hostname abc123

hostname


touch example-file.txt
stat example-file.txt

COMMANDS
} && xhost -
stat example-file.txt

podman \
run \
--cap-add SYS_ADMIN \
--cap-add SYS_RESOURCE \
--device=/dev/kvm \
--device=/dev/fuse \
--log-level=error \
--env STORAGE_DRIVER=vfs \
--env="DISPLAY=${DISPLAY:-:0.0}" \
--env=PATH=/root/.nix-profile/bin:/usr/bin:/bin \
--interactive=true \
--privileged=true \
--tty=true \
--rm=true \
--security-opt seccomp=unconfined \
--security-opt label=disable \
--user=0 \
--volume=/tmp/.X11-unix:/tmp/.X11-unix:ro \
--volume=/etc/localtime:/etc/localtime:rw \
--volume=/proc/:/proc/:rw \
--volume="$(pwd)":/code \
--workdir=/code \
docker.io/nixpkgs/nix-flakes

stat /proc/1/environ

[PedroRegisPOAR]

xhost + \
&& { podman \
run \
--cap-add=SYS_ADMIN \
--device=/dev/kvm \
--device=/dev/fuse \
--log-level=error \
--env="DISPLAY=${DISPLAY:-:0.0}" \
--env=PATH=/root/.nix-profile/bin:/usr/bin:/bin \
--interactive=true \
--privileged=false \
--tty=false \
--rm=true \
--user=0 \
--volume=/tmp/.X11-unix:/tmp/.X11-unix:ro \
--volume=/etc/localtime:/etc/localtime:ro \
--volume="$(pwd)":/code \
--workdir=/code \
docker.io/nixpkgs/nix-flakes \
<< COMMANDS
nix \
profile \
install \
nixpkgs#nettools \
nixpkgs#coreutils \
nixpkgs#xorg.xclock \
nixpkgs#file


timeout 10 xclock || test $? -eq 124 || echo 'Error, some thing went wrong in xclock test!'


hostname

hostname abc123

hostname


touch example-file.txt
stat example-file.txt

COMMANDS
} && xhost -
stat example-file.txt

podman \
run \
--device=/dev/kvm \
--device=/dev/fuse \
--log-level=error \
--env STORAGE_DRIVER=vfs \
--env="DISPLAY=${DISPLAY:-:0.0}" \
--env=PATH=/root/.nix-profile/bin:/usr/bin:/bin \
--interactive=true \
--privileged=true \
--tty=true \
--rm=true \
--security-opt seccomp=unconfined \
--security-opt label=disable \
--user=0 \
--volume=/tmp/.X11-unix:/tmp/.X11-unix:ro \
--volume=/etc/localtime:/etc/localtime:ro \
--volume=/proc/:/proc/:rw \
--volume="$(pwd)":/code \
--workdir=/code \
docker.io/nixpkgs/nix-flakes \
bash \
-c \
'stat /proc/1/environ'

podman run --user 200:200 -it -v $(pwd):/mnt:Z busybox sh -c 'id'