Hi everyone!
I'm in the process of finally doing containers right in my NixOS installation. This is my 'wishlist':
- podman containers should be run by users with minimal permissions
- separate user per container
- containers managed by systemd services for easier management
My current work-in-progress setup looks like this:
For each service (called $name), I have:
- a user and corresponding group (referred to as
$uidin the following) - a directory
/srv/$nameowned by$uid, in which mounted volumes are located
My containers are declared like this:
virtualisation.oci-containers.containers = {
$name = {
image = ...;
ports = [ ... ];
volumes = [
"/srv/${name}/config:/config"
...
];
user = $uid:$gid;
extraOptions = [
"--security-opt=no-new-privileges:true"
];
};
};
Now for the parts I don't fully understand yet:
-
some images allow setting
environment.PUIDto specify a user. Does setting this option (and not settinguser=$uidin the container declaration itself) mean that the container will be run as root, and the program inside will merely usePUIDwhen e.g. creating files? This would still allow a malicious container to run commands as root on the host, right? -
virtualisation.oci-containers.containerscreates a systemd service. Since this is not a user-service for my user$uid, I need sudo to start/stop the container. Does that mean that the systemd service is run with root permissions, but it executes the command to spawn the container as$uid? If whatever is running inside the container was malicious, is there a functional difference between the container being started 'by root as$uid' and it being started by me (after logging in as$uid)? -
Is it feasible to make these systemd services user-services owned by
$uidinstead? -
Are there further hardening steps I forgot about?
Thanks for your input!
Granted. You should brush up on your tensor calculus, though.