Securing podman socket access for rootful userns=auto?

[Lombra]

Hi,

Trying to set up a rootful userns=auto environment, with traefik as a reverse proxy. It needs access to the podman socket, but simply mounting it effectively gives the container root access, as far as I understand. What are my options here?

[eriksjolund]

Just an idea:
Create a new systemd generator similar to podman-system-generator but that handles files with some new suffix (for example .mycontainer instead of .container).

Let the new generator create static file configuration for traefik with

providers.file.directory

providers.file.filename

Maybe you already are thinking along those lines? I read your other discussion thread that has the title Extending systemd generator?.

[Lombra]

I did consider using a different provider, but I did not consider using a systemd generator for this. Sounds like that could work well. Thanks!

[Lombra]

Welp, apparently generators are not meant for generating arbitrary files. I only have write access in /run/systemd/generator, and while I guess I could place the configuration file there, it doesn't seem right.

[eriksjolund]

Interesting, I didn't know about the write access.

and while I guess I could place the configuration file there, it doesn't seem right.

I agree

[Lombra]

New idea; generate a dropin per container, creating and deleting traefik files on ExecStartPost and ExecStopPost.

[Lombra]

New idea; generate a dropin per container, creating and deleting traefik files on ExecStartPost and ExecStopPost.

Leaving it as unsolved, as it doesn't really answer the original question, but I ended up doing this instead, using the solution from #28517 (comment), combined with a script that generates traefik configuration in a watched traefik directory.

[Luap99]

but simply mounting it effectively gives the container root access, as far as I understand.

correct, but well with userns=auto the container cannot have access to the socket as the "random" uid would not allow access to the real root owned socket. So unless you give any uid access to the socket that will not work, asand well one should not give any uid access to the root podman.sock

IMO all these auto service discovery via podman/docker.sock are insecure by design and should be avoided. I use traefik just fine via the file provider. I do not find the labels particular ergonomic either.

Yes it then means you need to configure the traefik config in one file and the container in another but I see no issues with that.

[Lombra]

Thanks. I will just try to build a systemd generator to generate the traefik configuration.