Monday, August 28, 2023

Rootless Podman Privileged Port Binding

podman is a cool docker-replacement that is right at home on Linux. Among other cool party tricks, it is able to run containers (after some configuration) as a normal non-root user. This is good because a container breakout will not grant a root shell, but rather just a normal user shell (which you can further isolate to a "container-only" user). Great!

Just one problem - ye old "privileged ports", otherwise known as any port number below 1024 on Linux because trust and reasons. Thus, if you wanted to run things like nginx or AdGuardHome which bind to ports like 80 and 53, you have to run your container as root.

This is both not very nice for security, but also, limits you to things like network namespaces (as the root user podman will only know about the root user network namespaces) which is lame. Except for the one part where podman binds to privileged ports, a container like nginx or AdGuardHome can run entirely fine as non-root on the host machine.

You can do a fun little trick by running sudo sysctl net.ipv4.unprivileged_port_start and setting it to 0 which will remove protection from these ports < 1024, but this is also not great since that security does exist for a reason. But you can get the best of both worlds by running the dropping the port range, starting the container and binding the ports, and then resetting the port range back to the original 1024 in the background. I've just updated my container scripts to launch AdGuardHome and Cloudflared as a non-root user using this nice little trick.

It's brittle, since if the startup takes more than ~3 seconds, the port will protect again. I also haven't tested various scenarios in the no-worky path, but the happy path of container launches and services work is performing fine with this fun little shell workaround. Nerdy stuff.

Stay tuned!

========================
Follow pyamsoft around the Web for updates and announcements about the newest applications!
Like what I do?

Send me an email at: pyam.soft@gmail.com
Or find me online at: https://pyamsoft.blogspot.com

Follow my Facebook Page
Check out my code on GitHub
=========================
at