![Podmanlogo](Pictures/podman-logo.png)

# Security with Podman rootless containers

Podman is a container engine designed to work with rootless containers, meaning that there is no need of using sudo to run your containers. If you have experience with other container engines you may have used sudo or even added your non-root user to a group with priviledges. This is, of course, a concern for the security of your environment.

Running a container engine with the root user exposes two important methods of attacking your system:

 - If your container engine has a vulnerability your entire system will be compromised as the process of your container engine would be owned by the root user.
 - Given a container image that contains a vulnerability an attacker could gain access to your vulnerable image and, as your container image is being executed by the root user, the attacker could gain access to the whole system from it.

Podman has a simple solution for this: don't run as root. By default Podman is rootless, but you can use root for those edge use cases in which it's needed.

Running containers with non-root users also gives you the ability to isolate groups of containers being run by different users in the same system. Lets say you have Application A composed of three containers (frontend, backend and database) and Application B composed of two containers (frontend and backend), the applications do not interact between themselves, so you would like to isolate them. In this scenario you can just create two users (application-a-user and application-b-user) and instanciate each application with its own user. Once you do that, a successfully attacked Application B would not expose any containers of application A.

Of course, there are some scenarios in which running rootless containers could limit functionality. Lets review the most common caveats of rootless containers:

 - Exposing your container in ports below 1024 cannot be binded out of the box. There are workarounds for this.
 - Sharing images between users needs to be done via [this process](https://www.redhat.com/sysadmin/podman-transfer-container-images-without-registry?ref=linuxhandbook.com)

## Rootless containers with podman

First thing we need to understand is that in a linux system each user will have a list of subuid and subgid's that can be used for running processes. These can be found in the files /etc/subuid and /etc/subgid.

In [None]:
%login {{ hostvars[inventory_hostname]['IP-WKSHP-Podman101'] }}

In [None]:
cat /etc/subuid | grep $(whoami)

In [None]:
cat /etc/subgid | grep $(whoami)

In the output of those two files you see the range of the subuid and subgid that can be used for executing processes by your user. This values can be modified with the usermod command, but we will not be covering it in this workshop.

Lets show rootless containers working, first we will execute a new container:

In [None]:
podman run -d --rm --name=rootless-container docker.io/redhat/ubi9 sleep 999

Check that your container is running

In [None]:
podman ps

Now use the "ps" command to see the uid of the user that executed our container.

In [None]:
ps -f -p $(pgrep -f rootless-container) |grep student{{ STDID }}

As you can see the output shows the container process using a non priviledged UID.

Last point I would like to highlight regarding security is that we never used sudo for running podman. In general we have not used root user in any moment of this workshop, following all security best practices.

# Cleanup

In [None]:
podman stop --all
podman rm --all
podman rmi docker.io/redhat/ubi9

In [None]:
%logout

<br><br>

## <i class="fas fa-2x fa-map-marker-alt" style="color:#631f61;"></i>&nbsp;&nbsp;Next Steps

# Lab 4 : Managing multiple containers

<h2>Next LAB&nbsp;&nbsp;&nbsp;&nbsp;<a href="5-WKSHP-Managing-multiple-containers.ipynb" target="New" title="Next LAB: Managing multiple containers"><i class="fas fa-chevron-circle-right" style="color:#631f61;"></i></a></h2>

</br>
 <a href="3-WKSHP-Managing-container-images.ipynb" target="New" title="Back: Managing container images"><button type="submit"  class="btn btn-lg btn-block" style="background-color:#631f61;color:#fff;position:relative;width:10%; height: 30px;float: left;"><b>Back</b></button></a>
 <a href="5-WKSHP-Managing-multiple-containers.ipynb" target="New" title="Next: Managing multiple containers"><button type="submit"  class="btn btn-lg btn-block" style="background-color:#631f61;color:#fff;position:relative;width:10%; height: 30px;float: right;"><b>Next</b></button></a>
