Session-102 (Rootless - Rootful Containers)
Session-102 (Rootless - Rootful Containers)
Session-102 (Rootless - Rootful Containers)
=========================================
This does not mean that any process executed within the container would be run as
root.
Docker containers are usually run as root, however, it seems that it is possible to
execute them rootless (https://docs.docker.com/engine/security/rootless/).
Podman does not use any daemon and it does not need root to run containers.
“Rootless containers” does not mean that the user within the container is not root.
It can be root, and by default it is, when using either Docker or Podman.
Related to security, the main benefit of rootless containers is that even if the
container engine, runtime, or orchestrator is compromised, the attacker won’t gain
root privileges on the host.
Rootless containers have limitations. Since they are executed as non-root, they
don’t have access to all the features of the operating system. Some limitations are
documented here https://github.com/containers/podman/blob/master/rootless.md. For
example, you cannot publish a port below 1024.
Rootful Containers:
-------------------
1. Manging & Modifying HTTPD Conatiner: Host your own page on container.
# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/httpd latest c58ef9bfbb57 2 weeks ago 148 MB
# podman ps
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
8501eb90ffca docker.io/library/httpd:latest httpd-foreground 14 seconds ago Up
14 seconds ago 0.0.0.0:8080->80/tcp mywebpage
# podman top -l
USER PID PPID %CPU ELAPSED TTY TIME
COMMAND
root 1 0 0.000 56.921118504s pts/0 0s
httpd -DFOREGROUND
www-data 7 1 0.000 56.921248427s pts/0 0s
httpd -DFOREGROUND
www-data 8 1 0.000 56.921275417s pts/0 0s
httpd -DFOREGROUND
www-data 9 1 0.000 56.92130386s pts/0 0s
httpd -DFOREGROUND
# curl 192.168.196.128:8080
<html><body><h1>It works!</h1></body></html>
root@8501eb90ffca:/usr/local/apache2# ls
bin build cgi-bin conf error htdocs icons include logs modules
root@8501eb90ffca:/usr/local/apache2# cd htdocs/
root@8501eb90ffca:/usr/local/apache2/htdocs# exit
exit
# mkdir /html
# echo Please Subscribe Our Nehra Classes Youtube Channel. > /html/index.html
# cat /html/index.html
Please Subscribe Our Nehra Classes Youtube Channel.
# podman stop -a
# podman rm -a
# podman ps
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
46d89e797eeb docker.io/library/httpd:latest httpd-foreground 3 seconds ago Up 3
seconds ago 0.0.0.0:8080->80/tcp mywebpage
# curl 192.168.196.128:8080
Please Subscribe Our Nehra Classes Youtube Channel.
--------------------------------------
# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/mysql latest b2500a44757f 3 days ago 529 MB
docker.io/library/httpd latest c58ef9bfbb57 2 weeks ago 148 MB
# podman ps
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
46d89e797eeb docker.io/library/httpd:latest httpd-foreground 9 minutes ago Up 9
minutes ago 0.0.0.0:8080->80/tcp mywebpage
29d8c22da25d docker.io/library/mysql:latest mysqld 4 seconds ago Up 4
seconds ago 0.0.0.0:3306->3306/tcp mysql
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> exit
Bye
------------------------------------------
Rootless Containers:
Rootless containers refers to the ability for an unprivileged user to create, run
and otherwise manage containers.
# su - vikasnehra
$ su - vikasnehra
[vikasnehra@nehraclasses ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
$ podman images
$ podman info
$ cd /home/vikasnehra/.local/share/containers/storage/
$ podman ps
# cat /etc/os-release
# exit
---------------------------------------------
2. Limitation of rootless containers: Can't use any port below number 1024.
$ podman images
$ podman rm myhttpd
$ podman rm myhttpd
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
3fbdbdb2f0ae docker.io/myage/myubi:latest /bin/bash 10 minutes ago Up
10 minutes ago myubi
93dfd8a27d16 docker.io/library/httpd:latest httpd-foreground 3 seconds ago Up
4 seconds ago 0.0.0.0:4444->80/tcp myhttpd
$ curl 192.168.196.128:4444
<html><body><h1>It works!</h1></body></html>
======================================