
Rootless Containers - palo
https://unit42.paloaltonetworks.com/rootless-containers-the-next-trend-in-container-security/
======
ajross
> Slirp is a well-known project that was originally and mainly used for
> networking in QEMU (aka Quick Emulator).

Good grief, that's off by almost 15 years. Slirp was _originally_ a SLIP
endpoint you could run on a remote dial-in shell account to connect your local
system to the internet. As it happens that's basically the same problem needed
to get (something like) IP to work out of a userspace context in general, so
it got appropriated by the container community and used pervasively. But it's
roots go much deeper.

Also... "Quick Emulator"?!

~~~
angry_octet
SLiRP was written by Danny Gasparovski from Canberra.

Actual SLIP needed privs on the host to configure everything. slirp did it in
usermode, allowing lowly undergrads to get real IP connections at home from
the terminal services universities provided. Then you could run NSCA Mosaic at
home :-) And ftp things directly, instead of downloading to your shell account
tmp dir and using zmodem to transfer it the last hop.

[https://www.linuxjournal.com/article/1174](https://www.linuxjournal.com/article/1174)

It went away as real ISPs began to appear, offering PPP connections, and
universities dropped their dial-in services. Strange and glorious to see it
back again.

~~~
ajross
It's that exactly what I said?

~~~
angry_octet
Just expanding. I was already writing it when your post appeared.

------
maztaim
I've been following podman for rootless containers. It works fairly well on
Fedora. RHEL 8 works, but has older version of packages compared to Fedora.

There are some fairly well documented shortcomings to consider/work-around.
You can find that list at
[https://github.com/containers/libpod/blob/master/rootless.md](https://github.com/containers/libpod/blob/master/rootless.md)

~~~
prpl
The big annoying one in HPC is NFS/GPFS, but that will actually work just fine
if you stay as root inside the container, which maps to your uid outside the
container.

~~~
mroche
I'm a little confused by this statement, since at my current employer and
previous employer we used NFS mounted home dirs and I would and currently do
need to explicitly change my ~/.config/containers/storage.conf to point to a
local mount point, such as /var/tmp/containers/$USER in order to perform
anything rootless container related. In my case that's with Podman on RHEL 7
and RHEL 8.

~~~
maztaim
That's an acceptable workaround. Just remember the containers aren't available
on NFS and thus other systems.

~~~
mroche
I’m aware, I’m trying to determine what prpl meant by

> but that will actually work just fine if you stay as root inside the
> container, which maps to your uid outside the container

~~~
maztaim
I'll let Dan Walsh explain it [https://www.redhat.com/sysadmin/rootless-
podman-nfs](https://www.redhat.com/sysadmin/rootless-podman-nfs)

In short, you don't remap when running as root in the container, thus no
uid/gid remapping.

~~~
mroche
I had a derp-out moment yesterday, I totally misinterpreted “as root in the
container”. The topic was about rootless containers, so I was completely
mentally blacklisting the idea of starting a container from the root user
account.

------
angry_octet
Singularity containers go some way towards running without root, though it
defaults to setuid setup at boot and dropping privs before execution.

Singularity makes some bad design choices though, like eliminating layers,
which results in proliferation of huge container images cluttering everywhere,
with no idea what they do. It's really designed for HPC administrators who
don't like end users.

[https://sylabs.io/guides/3.5/user-
guide/security.html](https://sylabs.io/guides/3.5/user-guide/security.html)

~~~
prpl
They also have a bad record regarding security, and usability without the
setuid scripts is poor.

~~~
angry_octet
Well I only see the one bad CVE, but yes security through extra setuid C code
seems a bad idea. [https://www.openwall.com/lists/oss-
security/2019/05/16/1](https://www.openwall.com/lists/oss-
security/2019/05/16/1)

Ironically, I keep getting told I have to switch over from docker because of
security. Plenty of IT security folk have their knickers in a twist at the
idea of non-sysadmin priviledged users. They would rather run a giant insecure
system (Linux or Windows AD) with lots of LPE and lateral movement than
smaller more isolated systems with more trusted users and less LPE.
Dev(Sec)Ops concepts still haven't penetrated very deep.

~~~
prpl
Several DOE sites won't even consider Singularity, including NERSC, who
created Shifter (aka Docker + patching - networking) around the same time as
development at Singularity started at LBNL (NERSC's parent lab). LANL created
CharlieCloud
([https://hpc.github.io/charliecloud/](https://hpc.github.io/charliecloud/))
because they needed a hard focus on security first.

There is quite a bit of distrust of Singularity places that value security.
I'm hoping podman rootless can eventually come through and render all the
bespoke implementations moot, but it will probably be a few years.

------
AkihiroSuda
> The downside is that V2 doesn’t support all the controllers that were
> implemented for cgroups V1 (e.g. devices, net_cls, net_prio,etc.).

device controller is present since kernel 4.15.

> Adoption status

Docker/Moby supports FUSE-OverlayFS and cgroup2 as well on master. Planned to
be released as v20.0X.

> spearheaded by Podman and LXC.

Yes w.r.t. cgroup, but the network stuffs (slirp4netns & RootlessKit) were
originally written for Docker/Moby :)

> the truth is that container engines run Slirp without the seccomp support

Untrue.
[https://github.com/containers/libpod/blob/d4a3c05c0fcd0c53fa...](https://github.com/containers/libpod/blob/d4a3c05c0fcd0c53fafda09a682435212b68a68f/libpod/networking_linux.go#L228)
[https://github.com/moby/moby/blob/b47e74255811b2ead92b222541...](https://github.com/moby/moby/blob/b47e74255811b2ead92b22254174c27ae9d6c9f4/contrib/dockerd-
rootless.sh#L82)

------
banifo
We are using Prisma Cloud at work. I'm always surprised to see such a half
user friendly tool.

I thought, when i used that tool for the first time, that is some small
company building it but nope its paloaltonetworks.

~~~
zufallsheld
Prisma cloud Was twistlock before it was bought by Paloalto, a small 120
people company.

~~~
mikevm
Actually only the Prisma Cloud Compute part is Twistlock

------
justicezyx
[https://github.com/nanovms](https://github.com/nanovms) is another unikernel
attempt to solve the security problem, is an actual VM runnable on type1
hypervisor.

In contrast, gvisor, needs ptrace or kvm.

Both nanovms and gvisor aim to provide an abstraction through emulated system
calls.

------
mirekrusin
How does it relate, security wise, to mirageos? I know it's apples and
oranges, but only on security dimention scale, is one far better than the
other or hard to say?

