@x_cli One question about the proper use of containers (*not* VM, only containers). Is it reasonable to give root access in a container to someone who is not root on the host? I always thought the answer was No and this is how I manage containers. The report mention "public cloud service". Are there services where tenants have root access to a container?
Unfortunately many use cases require some kind of privileges inside the container, starting with privilege drop itself when running a daemon that requires different levels of privilege for listening on a port, writing to logs or serving requests.
User namespaces offer useful features and can hopefully be combined with fine-tuned caps and seccomp to "safely" offer "root" inside the container.
@x_cli We should obviously not. But services who rent containers as full-featured "VPS" want their tenant to be able to run.. Apache for instance. This either requires to fine-tune a user namespace and capability assignment so that the container can have a namespaced root user, listen on a privileged port, then setuid to a less privileged user ; or to provide basic unrestricted root access in the container. Guess what happens most of the time :)
On « Tweet » sur Twitter ; on « Toot » sur Mastodon. Sur ce réseau social plein de libertés, TeDomum met à disposition une modeste instance. N'hésitez pas à nous solliciter pour la modération ou des ajustements de configuration.