Group Swim

Escape Pod

Before starting up a new container on a Debian derivative, you have to do one more thing, I suspect, because Podman's development appears to be heavily oriented toward the Fedora and Red Hat Enterprise Linux operating systems. On systems that are members of the Debian family, like Ubuntu and Mint, in my case, I need to install a slirp4netns package, which according to Apt, allows "User-mode networking for unprivileged network namespaces."

If you think back to one of the attractive security features – being able to run Podman without being the root user within its own kernel namespace (to isolate it from other containers and the system itself) – this statement makes sense.

To install the package, enter:

$ apt install slirp4netns

To prove that the networking plugins are also working for a non-root user, you should become a less privileged user:

$ su - johncooper

(Replace johncooper with your login name or another username.) Before trying to launch a new container, check with the podman ps command again that the containers are running.

To test the networking, launch another container from the Nginx image:

$ podman run -dit nginx
c73445cacc1f3fc57979c35e62e30bbb9edeff  3712b7841e529ca95a23662dd1

Note that the error is gone now, and a hash is visible. Next, get the hash of your newly launched container with podman ps again. From my Nginx hash above, I use the command

$ podman inspect c734

and scroll through its output to see whether the Nginx web server is running. I see the line:

"IPAddress": "10.88.0.3",

Lo and behold, when I run a curl command to query TCP port 80 on that container's IP address, I get the output seen in Listing 4. Just as hoped, it shows the HTML output from the container, so I can see that all is well.

01 $ curl http://10.88.0.3:80
02
03 <!DOCTYPE html>
04 <html>
05 <head>
06 <title>Welcome to nginx!</title>
07 <style>
08     body {
09         width: 35em;
10         margin: 0 auto;
11         font-family: Tahoma, Verdana, Arial, sans-serif;
12     }
13 </style>
14 </head>
15 <body>
16 <h1>Welcome to nginx!</h1>
17 <p>If you see this page, the nginx web server is successfully installed and
18 working. Further configuration is required.</p>
19
20 <p>For online documentation and support please refer to
21 <a href="http://nginx.org/">nginx.org</a>.<br/>
22 Commercial support is available at
23 <a href="http://nginx.com/">nginx.com</a>.</p>
24
25 <p>Thank you for using nginx.</p>
26 </body>
27 </html>

The result is an Nginx web server instance running securely as a non-root user, isolated within its own user namespace.

The End Is Nigh

As I suggested at the beginning of this article, a number of intriguing run times are available for you to try. In the fast-moving container space, there's no guarantee which one will come out on top, but CRI-O has won the race in Kubernetes for the time being.

I hope with some experimentation you will want to try running containers as a non-root user and look at how to secure your run time's attack surface further inside user namespaces.

If you are keen to explore more, then check out the clever Buildah [8] package, described as a "a tool that facilitates building OCI container images." If you're familiar with Dockerfiles, used to create Docker container images, you might be interested in the Buildah docs [9].

In the meantime, experiment with Podman and keep a close eye on the container technology space to stay up to date. It moves quickly!