MicroOS: Rootless podman?

Submitted ⁨⁨22⁩ ⁨hours⁩ ago⁩ by ⁨nico198x@europe.pub⁩ to ⁨selfhosted@lemmy.world⁩

hey all! i need a little help here.

i’m just starting to get into self-hosting, and have chosen MicroOS and podman as my environment and tool.

would someone be able to clarify something for me?

I have a MicroOS install for containers, and it seems to only come with a root user. so if i use podman, won’t all my pods be rootful?

i try to make a new non-root user, but podman just keeps complaining about privileges when i run it under that user.

so how is this intended to work exactly?

thanks for any help!

source

Comments

Sort:hotnew top

someacnt@sh.itjust.works ⁨4⁩ ⁨hours⁩ ago
While this would not answer your question, but according to podman maintainers, rootful podman with userns=auto enjoys nearly as much security benefits as rootless. (As always, there are nuances to this)

Check out github.com/containers/podman/discussions/13728

Maybe you could consider running rootful podman, especially if the OS is immutable.

source
- nico198x@europe.pub ⁨29⁩ ⁨minutes⁩ ago
  thanks, very helpful! your comment is definitely relevant, and i hope this topic will help others in the future who may be confused about best practice w/ MicroOS.
  
  for what it’s worth, i did end up running Rootful!
  
  source
- InnerScientist@lemmy.world ⁨1⁩ ⁨hour⁩ ago
  Tldr:
  
  Rootful podman with podman run --userns=auto is more secure than one rootless host user running many pods, because those pods could (theoretically) attack each other.
  though you still have the possibility of an exploit in the image pull
  
  Rootless podman running one pod (as in service including database and so on) per host user with different subuid Ranges is the most secure, but you have to actually set that up which can be a lot of work depending on distribution.
  
  source
Sunny@slrpnk.net ⁨21⁩ ⁨hours⁩ ago
I don’t run MicroOS myself so take this with a grain of salt. But this is usually how I do it, though there might be a better practice out there for this too.

Afaik, MicroOS by the sound of it, only ships with root by default, but rootless Podman should definitely be possible.

Normally, you need to set up user namespace mappings for your non-root user. Run these commands as root:

usermod --add-subuids 100000-165535 <yourusername> usermod --add-subgids 100000-165535 <yourusername>

Then check they’re set up with:

grep <yourusername> /etc/subuid grep <yourusername> /etc/subgid

This should give your regular user the ability to map container UIDs without needing root privileges. After that, Podman should work fine as your regular user.

Hope this helps a little 👍
source
- nico198x@europe.pub ⁨21⁩ ⁨hours⁩ ago
  it does, thanks! i’m mostly really surprised that MicroOS hasn’t prepared all of this ahead of time for something that’s supposed to be a “ready for podman containers” install.
  
  source
  - oakcroissant@feddit.org ⁨18⁩ ⁨hours⁩ ago
    This is what the Aeon maintainer said about root vs rootless in MicoOS:
    
    Since MicroOS is immutable and not meant to be changed then there’s no problem running everything as root; root can’t even write to the immutable parts of the OS
    
    The main benefits for Podman on MicroOS are very many while not including rootless. No daemon to crash and make containers unmanageable. Nicer dependency chain making it easier to keep up to date on TW. Support for kubes… and many more
    
    Source thread (Reddit)
    
    source
    -> View More Comments
Getting6409@lemm.ee ⁨20⁩ ⁨hours⁩ ago
I do this on the minimal Debian release which is essentially coming from the same place, you’re left to get things configured with a root user or maybe a privileged user after install. There’s a few things to tweak for rootless podman and it will vary based on the distro. The gist for me and Debian is:

make an unprivileged account for running podman containers

enable linger so i can use systemd with this account and the running of the containers

allow lower ports for podman rootless in sysctl (for example, 80 if you’re running basic http services rootless), net.ipv4.ip_unprivileged_port_start=<start of lower range of ports rootless containers will use>

run containers with the appropriate --userns flags. This can vary a lot depending on the container. Some maintainers are nice and ensure the internal uid/gid is something expected like 1000, sometimes not and you have to fire it up and figure out the app account name, uid/gid. An example I’ll put here is a podman run snippet for running jenkins (official image from cloudbees) rootless:

podman run --name jenkins --user jenkins --userns=keep-id:uid=1000,gid=1000 …

Again, that’s just Debian, never tried MicroOS, but if MicroOS isn’t doing anything special to accommodate rootless podman I imagine these steps are somewhat applicable. One issue I ran into was with an older version of Podman, whatever comes with Ubuntu 22: That version of podman requires you to set the namespace mappings; Debian 12’s version does not and the --userns=keep… flag just works.
source
- nico198x@europe.pub ⁨20⁩ ⁨hours⁩ ago
  fantastic, thank you!
  
  yeah, when they said it was “ready for podman” i, uh, expected a little more preconfig. XD
  
  as an aside, re: point 3, port forwarding won’t work in firewalld? like , 80->8080, then 8080->container?
  
  source
  - Getting6409@lemm.ee ⁨19⁩ ⁨hours⁩ ago
    Honestly I’m not sure, or maybe I knew but forgot. Since working out my needs I wrote it to ansible and never looked back. Worth trying the more secure way for sure.
    
    source
atzanteol@sh.itjust.works ⁨21⁩ ⁨hours⁩ ago

i try to make a new non-root user, but podman just keeps complaining about privileges when i run it under that user.

If you’re asking for help about an error message, then provide the error message rather than describing it in vague terms. There are many privileges it could be complaining about.

source
- nico198x@europe.pub ⁨21⁩ ⁨hours⁩ ago
  not at this time, thank you. it’s more about confirming how MicroOS is functioning with a fresh install and where i need to head from there for rootless functionality. why this isn’t the default setup, i don’t know.
  
  source
Shimitar@downonthestreet.eu ⁨21⁩ ⁨hours⁩ ago
I suggest you read some guides about podman and rootless containers.

Here is my experience albeit on a different Linux: wiki.gardiol.org/doku.php?id=gentoo%3Acontainers

source
- nico198x@europe.pub ⁨21⁩ ⁨hours⁩ ago
  i’ve been ass-deep in doc and guides for days, mate. can you just answer the question if you know the answer?
  
  rootless podman should not be able to bind to port 80, for example. but i CAN do this on MicroOS. which is making me think that it’s running rootful. and if that’s happening because i’m working under the sole root user in MicroOS.
  
  source
  - Shimitar@downonthestreet.eu ⁨21⁩ ⁨hours⁩ ago
    You can give podman rootless the power to open ports less than 1024. So no, it can still be rootless.
    
    And yes, for being rootless you must have non root users as well…
    
    So its probably root and not rootless
    
    source
    -> View More Comments
  - borax7385@lemmy.world ⁨21⁩ ⁨hours⁩ ago
    Which user do you use to run the podman command? Confirm with whoami
    
    Note that the sysctl net.ipv4.ip_unprivileged_port_start can be used to allow non-root users to bind to ports <1024, this might be configured in MicroOS, I don’t know.
    
    source
    -> View More Comments