Hi everyone!
I’m in the process of finally doing containers right in my NixOS installation. This is my ‘wishlist’:
- podman containers should be run by users with minimal permissions
- separate user per container
- containers managed by systemd services for easier management
My current work-in-progress setup looks like this:
For each service (called $name), I have:
- a user and corresponding group (referred to as
$uidin the following) - a directory
/srv/$nameowned by$uid, in which mounted volumes are located
My containers are declared like this:
virtualisation.oci-containers.containers = { $name = { image = ...; ports = [ ... ]; volumes = [ "/srv/${name}/config:/config" ... ]; user = $uid:$gid; extraOptions = [ "--security-opt=no-new-privileges:true" ]; }; };
Now for the parts I don’t fully understand yet:
-
some images allow setting
environment.PUIDto specify a user. Does setting this option (and not settinguser=$uidin the container declaration itself) mean that the container will be run as root, and the program inside will merely usePUIDwhen e.g. creating files? This would still allow a malicious container to run commands as root on the host, right? -
virtualisation.oci-containers.containerscreates a systemd service. Since this is not a user-service for my user$uid, I need sudo to start/stop the container. Does that mean that the systemd service is run with root permissions, but it executes the command to spawn the container as$uid? If whatever is running inside the container was malicious, is there a functional difference between the container being started ‘by root as$uid’ and it being started by me (after logging in as$uid)? -
Is it feasible to make these systemd services user-services owned by
$uidinstead? -
Are there further hardening steps I forgot about?
Thanks for your input!
ReedReads@lemmy.zip 3 days ago
What services are you running in your pods/containers? Are they local applications like libreoffice or are they network accessible in the more traditional style? What’s the advantage to running a podman container on your machine vs a Flatpak container?
Sorry for all the questions. This is an interesting setup and I’m just really curious.
ftbd@feddit.org 3 days ago
These containers are running on various servers I have at home, not on a desktop machine. I use podman as an alternative to docker, because it’s fully libre and does not require running containers as root. To be honest, I’ve never thought about running flatpak containers for these kinds of services – do you have a setup like this that you want to share?
ReedReads@lemmy.zip 3 days ago
That makes sense. I’ve always thought of NixOS is a desktop, not as a server. Guess I need to expand my thinking!
I run Fedora Server with podman and docker side by side. I try to use podman whenever possible but sometimes it’s not worth the hassle so that’s when it becomes a docker container 😬