-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rootless Podman security update #2393
Rootless Podman security update #2393
Conversation
I recently merged a PR that changed the README. You'll need to resolve the (small) conflict there. I'd also like you to relocate the information in the documentation, at the end of the |
8cf2b61
to
9b9fa95
Compare
I've rebased to the latest master branch, missed the last commit 😅 |
Not much time right now, so just two quick thoughts:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than the one comment, @casperklein mentioned the update check. If these two concerns are resolved, I think this PR is fine :D
In rootless podman all IPs are resolved as localhost. This setting allows to enforce authentication even from localhost to circumvent this issue.
Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Since `none` was added as a new value to the `PERMIT_DOCKER` variable, it requires an additional testcase to check if authentication is enforced on localhost. The methods `setup` and `teardown` have been changed to `setup_file` and `teardown_file` respectively to speed up the testing process.
9b9fa95
to
c9d4c89
Compare
I've applied the suggestion and added a simply testcase. @casperklein you mentioned the issue with the updatescript, how should we overcome that? Authenticate against the server using credentials supplied as environment variables, or simply output to the terminal and leave it up to the user to handle the output if |
Co-authored-by: Casper <casperklein@users.noreply.github.com>
I revoked my comment about the update-check (see my edited comment above). But to be sure, you can test it with something like this: docker exec -it mailserver bash -c 'echo "10.0.0" > /VERSION && supervisorctl restart update-check' |
I see, just did a quick test and it works as you described, thanks 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent first contribution 👌
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks
Documentation preview for this PR is ready! 🎉 Built with commit: cbcb09e |
Two more things that came to my mind are
|
I don't have at the moment, but I could set it up within the next few days if you like |
That would be great. |
@docker-mailserver/maintainers Is there a way to detect within the container, if it's run by podman? If that is possible, we should print a open-relay warning, if We could also make |
Just did a short Research and found the following: The best check If the runtime being Docker or Podman would be to look for /run/.containerenv (Podman) vs /run/.dockerenv (Docker) Haven't tested it myself though |
That is old advice IIRC, I remember looking into detecting if operating in a Docker container a while back and that approach no longer works (it was never officially documented by Docker either) as the file is no longer present AFAIK. The easiest approach of course would be to just add a Changing defaults is probably fine too, but should wait until a major release right? |
confirm 😞 |
There was some other approaches I recall being advised, one regarding cgroups but it was flakey IIRC (there's v1 and v2, along with differences between container runtimes and possibly kernel versions I think..) and was specifically for detecting running in a containerized environment. If Podman does still make that file available, that's all you'd really need I guess to pull off the detection, but if it's not officially documented anywhere, it might disappear one day like the Docker one did. We could also just add a |
In case you want to consider a rather hacky solution, you might give this command a try if grep 'host.containers.internal' /etc/hosts > /dev/null; then echo podman; else echo docker; fi Also I just confirmend @polarathene's guess that podman (tested with |
When running with host mode networking, at least with Docker it will use the host system |
You are right, running podman in host mode does not add the |
Another thing that came to my mind during the setup of my new mailserver: Do you think it's reliable to check for the present network interfaces? That way also the default network interface could be dynamically changed and podman users would not have to specify Regarding the |
I am not sure if I understand you correctly. Why would you need a second DMS instance? Another podman question: Can you confirm, that this solution does also prevent an open-relay? |
Podman is not officially supported, because non of the maintainers use it afaik. DMS seems to work with podman, but there are some things to care for. So forcing podman users to read the manual and the security warnings is a good behaviour IMO 😉 |
One of them being me, I guess 😅
In case I wanted to test inter server communication. But you are right, it's not required for the current usecase
I can, but I didn't expect the result. Using the slirp4netns approach (compatible with v10.4.0 and older) I get a client host rejected message:
The solution shown in die issue produces a relay access denied error:
Not what I've expected, but both solutions seem to work |
I did my own tests with |
The attribute `none` has been introduced as value for `PERMIT_DOCKER` in docker-mailserver#2393. The current release v10.4.0 does not support this option yet. To prevent podman users from misconfiguring their server, supported version hints have been added to the corresponding documentation.
The attribute `none` has been introduced as value for `PERMIT_DOCKER` in docker-mailserver#2393. The current release v10.4.0 does not support this option yet. To prevent podman users from misconfiguring their server, supported version hints have been added to the corresponding documentation.
Description
This PR includes security related documentation to run docker-mailserver with podman in rootless mode. See the linked issue for more details on the security concerns.
Personally I would like to set
PERMIT_DOCKER=none
to the new default inmailserver.env
because it enforces authentication even from localhost and therefore is more secure, but this would result in a breaking change for users that have authentication-less setups for their localhost. The decision is up to you :)Fixes #2377
Type of change
Checklist:
docs/
)