search

ES-Nix / podman-rootless

Example of using nix + flakes to have podman rootless working
MIT License
15 stars 0 forks source link

Running container in read-only mode #3

Open PedroRegisPOAR opened 3 years ago

PedroRegisPOAR commented 3 years ago

TODO: add idiomatic examples of --read-only flag, http://docs.podman.io/en/latest/markdown/podman-run.1.html#running-container-in-read-only-mode

About kubernets read only volumes:

TODO: it can be a good thing to be anabled: --no-allow-new-privileges in nix.

ubuntu@ip-*:~$ stat /root
  File: /root
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: ca01h/51713d    Inode: 3800        Links: 4
Access: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-06-11 19:37:20.799020157 +0000
Modify: 2021-04-19 22:36:43.596000000 +0000
Change: 2021-04-19 22:36:43.596000000 +0000
 Birth: -

Thanks! Yes, I also found the standard way to configure environments for services using that systemd command systemctl edit nix-daemon.service. I agree that given the common security practice of nonexecutable /tmp nix-daemon should have some configuration settings to set TMPDIR. https://discourse.nixos.org/t/custom-tmpdir-for-nix-env/4696/3

We are blocking you based on Namespaced Capabilities. By default containers do not get CAP_SYS_ADMIN. https://unix.stackexchange.com/a/619334

troubleshooting.md file from the oficial repository: podman run --rootfs link/to//read/only/dir does not work

Packaging microservices with nix - Jonas Chevalier

NYLUG Presents: Sneaking in Nix - Building Production Containers with Nix

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/managing_containers/finding_running_and_building_containers_with_podman_skopeo_and_buildah

https://github.com/containers/podman/blob/main/rootless.md

https://www.redhat.com/sysadmin/tiny-containers

Docker Capabilities and no-new-privileges