Mention podman & rootless containers

[emanuelb]

Podman is alternative to docker, it's already pre-installed in fedora & other related os, thus can you mention it as alternative (after testing it's working) aka the only dependency is either docker or podman. also rootless containers is already fully supported in recent docker&podman, for more info: https://rootlesscontaine.rs/ so also worth to mention if it works when running under rootless containers.

[shesek]

Thanks for the suggestions!

Will definitely look into podman and mention it if its compatible (or if making it compatible is straightforward).

eznode will not work as a rootless container in its current form, it uses separate user accounts for each service as a security measure. However, s6-overlay does support running as non-root, and its possible that simply symlinking some user-related commands (adduser, useradd, s6-setuidgid, etc) to /bin/true is all that's needed to make it work.

[emanuelb]

rootless container is not when adding the --user command to docker/podman run, but when the docker daemon or podman itself is running on user who don't have root, aka install fedora, add foo user, login, run containers with this user (without adding the user to group like docker, or running with sudo, etc...)

so adduser commands inside the container will work, in my experience most of the time stuff just works, I only reported 1 issue triggered by it to react-native-cli project (ulimit call to increase limits failed because of it with not handled error, which broke other stuff), I run gitlab in rootless container and it works, but have seen some other users report problems, thus it's better that someone test this fully.

The easiest way is probably install fedora coreos/desktop/server/silverblue, add new user foo, login with it, use podman to run the container and ensure everything in it is tested/works.

[shesek]

rootless container is not when adding the --user command to docker/podman run, but when the docker daemon or podman itself is running on user who don't have root

Right, but in both cases you're required to make things work without root capabilities, so they're similar in that sense.

I'm surprised to hear that adduser works without root, how come? Are you able to then actually use this user? At the very least, I assume that s6-setuidgid will break.

But changing these commands into NOOPs is straightforward and should make everything work.

[emanuelb]

how come?

using user namespaces & newuidmap/newgidmap SUID binaries, here explanations (the "How it works" section on website explain how rootless containers are working): https://rootlesscontaine.rs/how-it-works/userns/#subuids--subgids-newuidmap--newgidmap The above website will answer most of the questions regarding it ^^

Are you able to then actually use this user?

yes, it's works.

But changing these commands into NOOPs is straightforward and should make everything work.

you mean avoid users creation inside the container, and run everything under the user supplied in --user to run command or using USER directive in Dockerfile to change user in it? it's kinda ok as well as a option/alternative maybe... (it's good in general, but here the container does too much stuff and run different services, so hard to reason about until I dig into it & relations between components), you can open another issue about it (and if you have PR for it, ping me as I would like to see it), but it's not what this issue is about...

I tested this quickly with commands on fedora 33 in regular user (don't exists in any group beside itself)

mkdir -p ~/tmp/eznode;
podman run -it --rm --name ez -v ~/tmp/eznode:/data:Z docker.io/eznode/eznode VERBOSE=1 SPECTER=1 TOR=1

The additional :Z is for selinux relabeling to enable only this container to access the volume/eznode dir...

and looks like it working (visiting the .onion endpoint over Tor of "Specter Desktop" & Explorer are working), still it's better to mention it after more testing (also worth to watch the logs while testing the functionality itself is working) as I just exited the container after this simple test.