1 of 21

Understanding Root

Inside and Outside of a Container

Scott McCarty

Principal Product Manager

1

CONFIDENTIAL Designator

2 of 21

Understanding the problem

Understanding root inside and outside of the container

People often ask all kinds of questions about root, rootless, privileged, and unprivileged containers.

There is a lot of confusion. This talk will attempt to clarify things in a new, and thorough way.

2

3 of 21

UNDERSTANDING

3

Root Outside

User Outside

Root Inside

# whoami

root

# podman run -it ubi8 bash

# whoami

root

$ whoami

fatherlinux

$ podman run -it ubi8 bash

# whoami

root

User Inside

# whoami

root

# podman run -itu sync ubi8 bash

$ whoami

sync

$ whoami

fatherlinux

$ podman run -itu sync ubi8 bash

$ whoami

sync

Twitter: @fatherlinux

4 of 21

UNDERSTANDING

4

Demo 1: �Basics

Twitter: @fatherlinux

5 of 21

What is a user?

To understand root, you must understand what a user is...

Everything in Unix is a file right? Sure, but remember there are data structures in memory too. They’re just exposed as files.

5

6 of 21

Inspecting the user ID of a process

ANALYSIS

6

Snapshot �The Process ID Table

ps -ef

Continually Monitor

The Process ID Table

top

Manually Inspect�The Process ID Table

cat /proc/<pid>/status

Twitter: @fatherlinux

7 of 21

UNDERSTANDING

7

Demo 2:

Inspecting Processes

Twitter: @fatherlinux

8 of 21

Types of User IDs

ANALYSIS

8

Real ID

Never changes once a process is started. Represents the actual user account logged in.

Saved ID

Used when an suid program drops privileges to another user.

Effective ID

Can be controlled by setuid programs like passwd. Often used to give users root in specific contexts.

Filesystem ID

Not really used anymore

Twitter: @fatherlinux

9 of 21

UNDERSTANDING

9

Demo 3:�Effective User ID

Twitter: @fatherlinux

10 of 21

User Namespaces

ANALYSIS

10

Host

Podman

Container 1

Container 2

Without

User namespace

With

User namespaces

root

uid=0

fatherlinux

uid=1001

uid=0

uid=1001

uid=0

uid=1001

Host

Podman

Container 1

Container 2

root

uid=0

fatherlinux

uid=1001

uid=165536+

uid=0

uid=1001

Twitter: @fatherlinux

11 of 21

UNDERSTANDING

11

Demo 4:

Namespaces

Twitter: @fatherlinux

12 of 21

Wait, There’s More

WHAT DOES IT MEAN WHEN I RUN A ROOTLESS CONTAINER WITH THE --privileged OPTION?

OK, so now you understand root in and out of the container, but what about --privileged?

12

13 of 21

MORE

13

SELinux

SECCOMP

  • Who you can talk to �Which objects in the kernel can communicate with other objects
  • What you can say�Limiting system calls is like limiting what words can be said

Twitter: @fatherlinux

14 of 21

UNDERSTANDING

14

Demo 4:

Privileged Containers

Twitter: @fatherlinux

15 of 21

Roadmap

WHAT DOES IT MEAN WHEN I RUN A ROOTLESS CONTAINER WITH THE --privileged OPTION?

15

16 of 21

apiVersion: v1

kind: Pod

metadata:

name: userns-pod

annotations:

io.kubernetes.cri-o.userns-mode: "auto"

spec:

containers:

- command:

- sleep

- 1d

image: registry.fedoraproject.org/fedora

name: userns-ctr

imagePullPolicy: IfNotPresent

runtimeClassName: userns-class

status: {}

ANALYSIS

16

  • Challenge: users want to run root in a container with less risk (does not completely mitigate)
  • Challenge: want to run container image builds with less privilege
  • Initially targeted for usage by subsystem teams within OpenShift
  • Invoked through a Runtime class in Kubernetes YAML
  • Will expand to target OpenShift users as it matures
  • Targeting OpenShift 4.7/48 (March-June 2021)

Twitter: @fatherlinux

17 of 21

ROADMAP

17

  • Challenge: NFS Servers and Clients don’t know about user namespaces
  • User ID in the container gets mapped to the subuid range outside the container
  • The NFS server will reject changes from these IDs in the subuid range
  • Giuseppe Scrivano is working to hide these IDs in the extended attributes of a file and map them to the regular user’s ID so the NFS server will accept requests
  • Targeting RHEL 8.5 (targeted for November 2021)
  • Secondary Challenge: some NFS Servers and Clients don’t support extended attributes

Twitter: @fatherlinux

18 of 21

ROADMAP

18

  • Challenge: Users want to centrally manage /etc/subuid and /etc/subgid
  • Useful in HPC, Laptops/Desktops, and with NFS mounts
  • Working with the FreeIPA, glibc, and kernel teams to figure out the best way to manage these files/entries
  • There are a lot of ways to tackle this problem
    • Could manage the files
    • Could handle in the system calls
  • Targeting RHEL 8.5 (targeted for November 2021)

Twitter: @fatherlinux

19 of 21

Source Material

WHAT DOES IT MEAN WHEN I RUN A ROOTLESS CONTAINER WITH THE --privileged OPTION?

People often ask all kinds of questions about root, rootless, privileged, unprivileged containers. T

here seems to be a ton of confusion. This talk will attempt to clarify things in a new, and thorough way.

19

20 of 21

SOURCE MATERIAL

20

Twitter: @fatherlinux

21 of 21

Thank you

Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make �Red Hat a trusted adviser to the Fortune 500.

21

CONFIDENTIAL Designator

linkedin.com/company/red-hat

youtube.com/user/RedHatVideos

facebook.com/redhatinc

twitter.com/RedHat