« Previous 1 2 3
OCI containers with Podman
Group Swim
Escape Pod
Before starting up a new container on a Debian derivative, you have to do one more thing, I suspect, because Podman's development appears to be heavily oriented toward the Fedora and Red Hat Enterprise Linux operating systems. On systems that are members of the Debian family, like Ubuntu and Mint, in my case, I need to install a slirp4netns package, which according to Apt, allows "User-mode networking for unprivileged network namespaces."
If you think back to one of the attractive security features – being able to run Podman without being the root user within its own kernel namespace (to isolate it from other containers and the system itself) – this statement makes sense.
To install the package, enter:
$ apt install slirp4netns
To prove that the networking plugins are also working for a non-root user, you should become a less privileged user:
$ su - johncooper
(Replace johncooper
with your login name or another username.) Before trying to launch a new container, check with the podman ps
command again that the containers are running.
To test the networking, launch another container from the Nginx image:
$ podman run -dit nginx c73445cacc1f3fc57979c35e62e30bbb9edeff 3712b7841e529ca95a23662dd1
Note that the error is gone now, and a hash is visible. Next, get the hash of your newly launched container with podman ps
again. From my Nginx hash above, I use the command
$ podman inspect c734
and scroll through its output to see whether the Nginx web server is running. I see the line:
"IPAddress": "10.88.0.3",
Lo and behold, when I run a curl
command to query TCP port 80 on that container's IP address, I get the output seen in Listing 4. Just as hoped, it shows the HTML output from the container, so I can see that all is well.
Listing 4
A Working Nginx Container
01 $ curl http://10.88.0.3:80 02 03 <!DOCTYPE html> 04 <html> 05 <head> 06 <title>Welcome to nginx!</title> 07 <style> 08 body { 09 width: 35em; 10 margin: 0 auto; 11 font-family: Tahoma, Verdana, Arial, sans-serif; 12 } 13 </style> 14 </head> 15 <body> 16 <h1>Welcome to nginx!</h1> 17 <p>If you see this page, the nginx web server is successfully installed and 18 working. Further configuration is required.</p> 19 20 <p>For online documentation and support please refer to 21 <a href="http://nginx.org/">nginx.org</a>.<br/> 22 Commercial support is available at 23 <a href="http://nginx.com/">nginx.com</a>.</p> 24 25 <p>Thank you for using nginx.</p> 26 </body> 27 </html>
The result is an Nginx web server instance running securely as a non-root user, isolated within its own user namespace.
The End Is Nigh
As I suggested at the beginning of this article, a number of intriguing run times are available for you to try. In the fast-moving container space, there's no guarantee which one will come out on top, but CRI-O has won the race in Kubernetes for the time being.
I hope with some experimentation you will want to try running containers as a non-root user and look at how to secure your run time's attack surface further inside user namespaces.
If you are keen to explore more, then check out the clever Buildah [8] package, described as a "a tool that facilitates building OCI container images." If you're familiar with Dockerfiles, used to create Docker container images, you might be interested in the Buildah docs [9].
In the meantime, experiment with Podman and keep a close eye on the container technology space to stay up to date. It moves quickly!
Infos
- Docker: https://www.docker.com
- CNCF: https://www.cncf.io
- CRI-O: https://cri-o.io
- OCI: https://www.opencontainers.org
- Podman: https://podman.io
- Installing Podman: https://github.com/containers/libpod/blob/master/install.md
- Dependencies: https://github.com/containers/libpod/blob/master/install.md#build-and-run-dependencies
- Buildah: https://buildah.io
- Buildah docs: https://github.com/containers/buildah/tree/master/docs/tutorials
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)