Shulou(Shulou.com)06/01 Report--

Editor to share with you how to combine the right to use Podman in Fedora, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Containerization is a booming technology. In the near future, as many as 75% global organizations may run some type of containerization technology. As the widely used technology is more likely to become the target of hackers, it is particularly important to protect the security of the container. This article demonstrates how to use the POSIX power Capability to secure the Podman container. Podman is the default container management tool in RHEL8.

Determine the permission mode of the Podman container

The container runs in privileged or unprivileged mode. In privileged mode, the container's uid 0 is mapped to the host's uid 0. In some cases, unprivileged containers lack adequate access to host resources. But regardless of its mode of operation, technologies such as mandatory access control Mandatory Access Control (MAC: such as apparmor, SELinux, etc.), seccomp filters, removal of authority Capability, namespaces, and so on, help ensure the security of the container.

To determine the privilege mode from outside the container:

$podman inspect-- format= "{{.HostConfig.Privileged}}"

If the above command returns true, the container runs in privileged mode. If false is returned, the container runs in unprivileged mode.

To determine the privilege mode from within the container:

$ip link add dummy0 type dummy

If this command allows you to create an interface, then you are running a privileged container, otherwise you are running an unprivileged container.

Power and power

Namespaces isolate container processes so that they cannot arbitrarily access the resources of the host or other containers running on the same host. However, processes in a privileged container can still do things such as changing the IP routing table, tracking arbitrary processes, and loading kernel modules. Power Capability allows people to impose more subtle restrictions on the resources that processes in the container can access or change, even if the container is running in privileged mode. Power also allows people to assign privileges to unprivileged containers that they would not otherwise have.

For example, if you want to add the NET_ADMIN function to an unprivileged container to create a network interface inside the container, you can run podman with the following parameters:

[root@vm1 ~] # podman run-it-- cap-add=NET_ADMIN centos [root@b27fea33ccf1 /] # ip link add dummy0 type dummy [root@b27fea33ccf1 /] # ip link

The above command demonstrates creating a dummy0 interface in an unprivileged container. Without NET_ADMIN authority, an unprivileged container cannot create an interface. The above command demonstrates how to grant an authority to an unprivileged container.

Currently, there are about 39 rights that can be granted or denied. Privileged containers are granted many powers by default. It is recommended that you remove unwanted rights from the privileged container to make it more secure.

To remove ownership from the container:

$podman run-it-d-name mycontainer-- cap-drop=all centos

List the capabilities of a container:

$podman exec-it 48f11d9fa512 capsh-print

The above command shows that no authority is granted to the container.

Refer to the capabilities man page for a complete list of competencies:

$man capabilities

You can use the capsh command to list the capabilities you currently have:

$capsh-print

As another example, the following command demonstrates how to remove the NET_RAW power from the container. Without NET_RAW power, it is not possible to ping Internet servers from containers.

$podman run-it-- name mycontainer1-- cap-drop=net_raw centos > > ping google.com (will output error, operation not permitted)

As a final example, if your container only needs SETUID and SETGID capabilities, you can remove ownership capabilities and then only add these two capabilities to implement such permission settings.

$podman run-d-cap-drop=all-cap-add=setuid-cap-add=setgid fedora sleep 5 > / dev/null; pscap | grep sleep

The above pscap command shows the authority that the container is granted.

The above is all the content of the article "how to combine the right to use Podman in Fedora". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.