Understanding Root
Inside and Outside of a Container
Scott McCarty
Principal Product Manager
1
CONFIDENTIAL Designator
Understanding the problem
Understanding root inside and outside of the container
People often ask all kinds of questions about root, rootless, privileged, and unprivileged containers.
There is a lot of confusion. This talk will attempt to clarify things in a new, and thorough way.
2
UNDERSTANDING
3
| Root Outside | User Outside |
Root Inside | # whoami root # podman run -it ubi8 bash # whoami root | $ whoami fatherlinux $ podman run -it ubi8 bash # whoami root |
User Inside | # whoami root # podman run -itu sync ubi8 bash $ whoami sync | $ whoami fatherlinux $ podman run -itu sync ubi8 bash $ whoami sync |
Twitter: @fatherlinux
UNDERSTANDING
4
Demo 1: �Basics
Twitter: @fatherlinux
What is a user?
To understand root, you must understand what a user is...
Everything in Unix is a file right? Sure, but remember there are data structures in memory too. They’re just exposed as files.
5
Inspecting the user ID of a process
ANALYSIS
6
Snapshot �The Process ID Table
ps -ef
Continually Monitor
The Process ID Table
top
Manually Inspect�The Process ID Table
cat /proc/<pid>/status
Twitter: @fatherlinux
UNDERSTANDING
7
Demo 2:
Inspecting Processes
Twitter: @fatherlinux
Types of User IDs
ANALYSIS
8
Real ID
Never changes once a process is started. Represents the actual user account logged in.
Saved ID
Used when an suid program drops privileges to another user.
Effective ID
Can be controlled by setuid programs like passwd. Often used to give users root in specific contexts.
Filesystem ID
Not really used anymore
Twitter: @fatherlinux
UNDERSTANDING
9
Demo 3:�Effective User ID
Twitter: @fatherlinux
User Namespaces
ANALYSIS
10
Host
Podman
Container 1
Container 2
Without
User namespace
With
User namespaces
root
uid=0
fatherlinux
uid=1001
uid=0
uid=1001
uid=0
uid=1001
Host
Podman
Container 1
Container 2
root
uid=0
fatherlinux
uid=1001
uid=165536+
uid=0
uid=1001
Twitter: @fatherlinux
UNDERSTANDING
11
Demo 4:
Namespaces
Twitter: @fatherlinux
Wait, There’s More
WHAT DOES IT MEAN WHEN I RUN A ROOTLESS CONTAINER WITH THE --privileged OPTION?
OK, so now you understand root in and out of the container, but what about --privileged?
12
MORE
13
SELinux
SECCOMP
Twitter: @fatherlinux
UNDERSTANDING
14
Demo 4:
Privileged Containers
Twitter: @fatherlinux
Roadmap
WHAT DOES IT MEAN WHEN I RUN A ROOTLESS CONTAINER WITH THE --privileged OPTION?
15
apiVersion: v1
kind: Pod
metadata:
name: userns-pod
annotations:
io.kubernetes.cri-o.userns-mode: "auto"
spec:
containers:
- command:
- sleep
- 1d
image: registry.fedoraproject.org/fedora
name: userns-ctr
imagePullPolicy: IfNotPresent
runtimeClassName: userns-class
status: {}
ANALYSIS
16
Twitter: @fatherlinux
ROADMAP
17
Twitter: @fatherlinux
ROADMAP
18
Twitter: @fatherlinux
Source Material
WHAT DOES IT MEAN WHEN I RUN A ROOTLESS CONTAINER WITH THE --privileged OPTION?
People often ask all kinds of questions about root, rootless, privileged, unprivileged containers. T
here seems to be a ton of confusion. This talk will attempt to clarify things in a new, and thorough way.
19
SOURCE MATERIAL
20
Twitter: @fatherlinux
Thank you
Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make �Red Hat a trusted adviser to the Fortune 500.
21
CONFIDENTIAL Designator
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat