Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Podman includes host /etc/hosts in container /etc/hosts #11835

Closed
pboguslawski opened this issue Oct 1, 2021 · 13 comments
Closed

Podman includes host /etc/hosts in container /etc/hosts #11835

pboguslawski opened this issue Oct 1, 2021 · 13 comments
Assignees
@rhatdan
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. stale-issue

Comments

@pboguslawski
Copy link

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

podman run includes /etc/hosts records from host into /etc/hosts in container; this is security issue; podman should extend existing /etc/hosts from image (or create from scratch if absent) for container only with its own records and records added explicity by admin with --add-host, similar like docker works

https://docs.docker.com/engine/reference/run/#managing-etchosts

/etc/hosts on host may contain stuff that should not be known for container, i.e. addresses of other containers on same machine, hidden from given container, external network names not available for container, etc.

Output of podman version:

# podman version
Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.15.9
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.19.6
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 2
  distribution:
    distribution: debian
    version: "11"
  eventLogger: journald
  hostname: [...]
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.10.0-8-amd64
  linkmode: dynamic
  memFree: 686698496
  memTotal: 4122234880
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 2147479552
  swapTotal: 2147479552
  uptime: 35m 20.97s
registries: {}
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 14
    paused: 0
    running: 14
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 15
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.15.9
  OsArch: linux/amd64
  Version: 3.0.1

Package info (e.g. output of rpm -q podman or apt list podman):

# dpkg -s podman | grep Version
Version: 3.0.1+dfsg1-3+b2

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

No

Additional environment details (AWS, VirtualBox, physical, etc.):
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 1, 2021
@mheon
Copy link
Member

mheon commented Oct 2, 2021

I had to double-check against Docker to verify their behavior, but you are correct - they base their /etc/hosts for non---net=host containers off the container's /etc/hosts, not the hosts'. I'm amazed this made it three years without being noticed.

I would consider this a breaking change, so I think this is 4.0 only, no backporting.

@rhatdan
Copy link
Member

rhatdan commented Oct 3, 2021

Yes this should definitely be fixed in 4.0

@rhatdan rhatdan added the 4.0 label Oct 3, 2021
@rhatdan
Copy link
Member

rhatdan commented Oct 3, 2021

Interested in opening a PR to fix?

@pboguslawski pboguslawski mentioned this issue Oct 3, 2021
Closed
@pboguslawski
Copy link
Author

I would consider this a breaking change, so I think this is 4.0 only, no backporting.

Why not to disable leaking /etc/hosts with new, more general flag like in

#11836 (comment)

This won't be breaking change and may be safely backported probably.

@AkihiroSuda
Copy link
Collaborator

/etc/hosts on host may contain stuff that should not be known for container, i.e. addresses of other containers on same machine, hidden from given container, external network names not available for container, etc.

I don’t think /etc/hosts can be a security boundary. Is there any (legacy) product that treats hostnames / IP addresses as “credentials”?

I think the default behavior should remain importing /etc/hosts from the host, but a new CLI flag can be added to change the behavior.

@AkihiroSuda AkihiroSuda mentioned this issue Oct 5, 2021
Open
@mheon
Copy link
Member

mheon commented Oct 5, 2021

Most of my urge to move to using the container's /etc/hosts as a base is to improve our Docker compat - but, then again, no one has complained about this in two years, and the current complaint is security-based, not because it caused any actual functional issues...

@github-actions
Copy link

github-actions bot commented Nov 5, 2021

A friendly reminder that this issue had no activity for 30 days.

@baude
Copy link
Member

baude commented Jan 10, 2022

@cdoern can you see this through to completion?

@cdoern
Copy link
Collaborator

cdoern commented Jan 10, 2022

sure @baude I'll start working on it this week.

@jwhonce jwhonce assigned rhatdan and unassigned cdoern Jan 12, 2022
@jwhonce jwhonce added kind/feature Categorizes issue or PR as related to a new feature. and removed 4.0 kind/bug Categorizes issue or PR as related to a bug. labels Jan 12, 2022
@rhatdan
Copy link
Member

rhatdan commented Jan 13, 2022

What should be the name of the option?

--noleak (And block the leaking of /etc/resolv.conf and /etc/hosts into the container? Any others?

Or just
--nohosts

@rhatdan
Copy link
Member

rhatdan commented Jan 13, 2022

Well we already have --no-hosts, so --share-hosts might be better.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Feb 14, 2022

podman 4.0 has this feature.

@rhatdan rhatdan closed this as completed Feb 14, 2022
@mheon mheon mentioned this issue Apr 1, 2022
Closed
@ykuksenko ykuksenko mentioned this issue May 16, 2022
Closed
@quazar-omega quazar-omega mentioned this issue May 7, 2023
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rhatdan rhatdan

Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. stale-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jwhonce @rhatdan @mheon @pboguslawski @baude @AkihiroSuda @cdoern