Support a setuid/setcap helper and/or privileged service for networking and/or container setup #13706
Comments
openshift-ci
bot
added
the
kind/feature
|
I am really against this. First of the argument slirp4netns has been a source of security problems in the past doesn't make sense when you ask for a privileged helper program. How can we make sure this helper program would have no security issues? We can't and it it would be much worse since the program would have more privileges that can be exploited. How can we make sure that a user doesn't abuse this and creates interfaces with ip addresses that could conflict with the normal host routing? I understand the performance part but this still this is not really possible. Because podman always joins the rootless user namespace it cannot execute setuid programs afterwards, the root uid is not mapped. To circumvent this we would require a persistent daemon running. I don't think this is a godd idea. It is certainly against podman principles, we try to avoid daemons as much as possible and it will cause more security problems. Note that you can do this today manually. Create a netns, configure it manually and use it with |
|
I agree totally with @Luap99. We want to do as much as possible without additional privileges, and talking to privileged daemons shipped by Podman is not something we want to support. Podman needs to work within the constraints of a rootless user. Allowing users to setup their own network namespace and allow that to joined to a Podman container is the best we can do. |
I guess this really needs to be handled on the kernel side, or perhaps by
The problem with this approach is that it (rather obviously) does not scale. |
|
Lets take a step back. What is your goal? Is it to have developers running and building containers via rootless mode, or do you just want to make sure that containers do not have a process in them that is running as full root? If the second, have you looked at This command will run podman containers in a unigue UserNS isolated from the host, but be started as root, allowing you flexibility with the network stack. I believe this is the way that containers in production launched by podman should run rather then being launched by a rootless user. |
My goal is twofold:
Would it be possible to add a note that rootless Podman is not intended for production environments, and that |
|
Saying rootless podman should not be used in production sounds wrong, I see no problem with doing this. If you are just looking at a slirp4netns alternative you can look at I don't understand the assumption that if we would write it from scratch that it would be more secure somehow. |
The difference is the choice of programming language. C is a poor choice for this. |
There is a potential licensing problem. Google and many other companies won’t touch AGPL code. |
|
If speed is a concern, https://github.com/rootless-containers/bypass4netns is an option - it's purely an extension of slirp but I've heard good things about its performance improvements. |
Looks like it has TOCTOU security problems. The only solution I can think of is for the bypass code to open the socket itself. |
github-actions
bot
added
the
locked - please file new issue/PR
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind feature
Description
Currently, rootless Podman uses slirp4netns, which is slow and has been a source of security problems in the past. One alternative would be to use native Linux kernel networking. This requires privileges on the host, however, which is why rootless Podman cannot currently support it.
This can be avoided by relying on a privileged daemon on the host, which will have better performance.
The text was updated successfully, but these errors were encountered: