Can I allow a 2nd Linux user manage my container?

[paul-grozav]

I am trying to create a container that is "owned" by at least 2 individuals. We both have different linux users on the same server/workstation, and I would like to allow my partner to manage/restart/exec-into my container. We've worked in a similar way on docker before, and we would like to switch to podman, for the obvious strong points(especially security).

I've read https://www.redhat.com/sysadmin/rootless-podman-user-namespace-modes and https://www.redhat.com/sysadmin/supplemental-groups-podman-containers but still, the solution is not clear to me.

We don't want to share the same linux user, for security reasons.

The containerized app is written in C and relies on env vars as input. I want to allow my partner to restart the app, with different env values. When we ran it un-containerized(in the past), we had a 3rd user, and that was used exclusively to run this process/binary(with setuid) and to run kill with sudo, when we had to restart it.

The only idea I have is for both of us to configure podman to use the same, shared, storage directory. I don't know if that will work.

Have you ever faced such a problem? Does podman have a solution to share management privileges over a user's (rootless) container?

[rhatdan]

I would suggest that you share the storage owned by a third user, then map that user into each owers container.

Setup your /etc/subuild like

usera 0:100000:999
usera 99999:1000:1
usera 1000:101000:65000

userb 0:200000:999
userab 99999:1000:1
userb 1000:201000:65000

Now run the same rootless container in usera and userb with the --user=1000 and the content on disk owned by UID=99999

[paul-grozav]

But that would result in two different proceses, wouldn't it? I guess I forgot to mention that this C app is running as a TCP server, used by other teams, so I would keep this to one instance/process/container for both of us. Would that be possible?

[rhatdan]

Ok I think I am misunderstanding, you want to allow userA to create a containerized App and then userB to use it? Why isn't just using network protocols ok?

[paul-grozav]

Sorry, this is probably an easy requirement, but harded(if possible at all) to implement. So, maybe something is wrong with my approach/design.

You are almost right "want to allow userA to create a containerized App and then userB to manage it". I need userB to have the possibility to restart the container(with a different configuration).

The same problem can be transposed to executing a binary (./my.bin) with userA and then want to allow userB to kill/restart it with a different config - for this we've used the workaround described above. So, in a way, I understand that this might be a lower-level question, not really container-specific. But, I was able to achieve this with docker (because it relies on a daemon, and because we're managing it through that docker group and through the socket file) - and because docker allowed all users in the docker group to manage the same set of containers. That also contributed to docker's security flaws.

So, I want to replace docker with podman, to have a stronger security, but it seems that by doing so, it will also prevent our use case. Because podman is (by design) user-centric - podman containers are per-user(each user has it's own containers and other users can't manage containers belonging to other users) - unlike docker containers which were per-host(any user from that machine/host - that is part of the docker group - would be able to view/manage the same set of containers).

So, to emphasize this again, this is not a requirement to allow userB to "use" - establish a TCP connection to userA's container - that works perfectly. What I am after is allowing userB to run commands like: podman stop or podman rm or podman logs or podman run, or podman pull. The most frequent operation user A or B will have to do is restart the container with a different config, or, the 2nd most frequent is to upgrade the image of the container(start a(nother) container from a newer C code - precompiled and containerized). Basically me and my colleague (userA and userB) are a team, and we both maintain this service/container - but don't want to use a shared linux account.

I hope that sheds some light, and I hope that isn't too much to ask - I hope that's doable. Thank you so much, @rhatdan , for your attention, you've answered my questions in the past too, and I know you're important/busy person, I feel bad about raising this with you directly - using your valuable time.

[rhatdan]

podman can be used in client server mode, a user can setup a podman service that could be used by other uses on the system (theoretically).

podman --remote ...

It would work similarly to docker, with the same security issues. Although you might be able to setup this entire environment to run rootless mode, so only one users account would be vulnerable as opposed to running containers as root.