Giving your containers a root canal

Straight from the Docker documentation, you will find that “The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.”

The documentation then proceeds to instruct you to add your user to the docker group in order to use Docker without using sudo. That sounds great, right? Well, the thing is, the docker group grants privileges equivalent to the root user. This can have dire consequences. For instance, any location on your host filesystem can be mounted into the container – and I do mean any! This even includes the / (root) directory and the container can then alter your host filesystem without any restrictions. There are several other security vulnerabilities that are a direct result of this architecture, but you get the picture.

What’s different about Podman is that by default, it runs rootless; in other words, you can run containers using Podman without root privileges. When I first heard this, I thought it meant the user in the container was not root, but that’s not really the case. Rootless containers simply mean that the user instantiating the containers does not have root privileges. There are a few things to know about running a container without root privileges, and this recipe aims to instruct you how to run rootless containers, while at the same time explaining the differences between rootless and rootful.

Getting ready

• Oracle Linux
• Podman

How to do it…

To run rootless containers with Podman, all you need to do is use Podman as a user without root privileges. Also, do not append sudo to any Podman commands, because if you do, you would then be running the container as the root user.

What’s different about rootless containers?

Network modes

There are three common network modes supported by Podman:

• Bridged
• macvlan
• slirp4netns

First, there’s a bridged network, which is the default used by rootful Podman. Bridged networking creates a network interface on the host and dedicates this interface to the container. Another network mode is macvlan, which is a virtual LAN that basically forwards an entire network interface from the host into the container. Finally, there is slirp4netns, which enables you to connect a network namespace to the internet in a completely unprivileged way. Rootless Podman leverages slirp4netns because unprivileged users lack the ability to create network interfaces on the host. In order to bypass this limitation, slirp4netns instead creates a tunnel from the host and into the container in order to forward traffic.

Network ports

When you run your containers without root access, you may run into issues exposing certain network ports. For example, it is common for users to expose ports 80 and/or 443 when running containers; however, if you try to do this while running a rootless container, you will see a message like the following:
Error response from daemon: rootlessport cannot expose privileged port 80, you can add ‘net.ipv4.ip_unprivileged_port_start=80’ to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied

Rootless Podman is limited to exposing ports 1024 and above. If you wanted to expose a lower port, you would need to first configure this as root in order to allow unprivileged users to expose lower port numbers.

Let’s say you wanted to allow rootless Podman to expose the standard HTTP web port (port 80). In this case, you can run this command:
sudo sysctl net.ipv4.ip_unprivileged_port_start=80

If you want these settings to persist, simply follow the guidance of the error message received earlier. That is, edit the /etc/sysctl.conf file and append net.ipv4.ip_unprivileged_port_start=80.