Hacker News new | ask | show | jobs
by eriksjolund 1401 days ago
I like this Podman feature:

Socket activation of containers

Advantages:

- Faster network. Rootless Podman will run with native network speed. Normally rootless Podman runs with reduced network speed due to the performance penalty that comes from using slirp4netns.

- Improved security as you can disable the ability to establish outgoing connections with --network=none. The container can still communicate over the socket-activated socket with a client that has connected via the internet.

I contributed a Podman socket activation tutorial: https://github.com/containers/podman/blob/main/docs/tutorial...

and I wrote two blogs about the security advantages

https://www.redhat.com/sysadmin/socket-activation-podman

https://www.redhat.com/sysadmin/podman-systemd-limit-access

Docker does not support socket activation of containers. (Docker only supports socket activation of the Docker daemon)

Edit: A clarification about the network speed. The improved speed is about the communication that passes over the socket-activated socket. This communication does not pass through slirp4netns so it has the same performance characteristics as the normal network on the host.
5 comments
jacooper 1401 days ago
> - Faster network. Rootless Podman will run with native network speed. Normally rootless Podman runs with reduced network speed due to the performance penalty that comes from using slirp4netns.

Did they fix the IP propagation issue with Rootless networking ? It makes it largely useless when the Proxy is also a container.

on Docker you can force it to use Slirp, but its slow and doesn't support IPv6.

link
eriksjolund 1401 days ago
You could detect the source IP address by using the command-line option:

--net=slirp4netns:port_handler=slirp4netns

See https://github.com/containers/podman/discussions/10472#discu...

Shouldn't it also be possible to detect the source IP address if you use socket activation? (I haven't tried it out, though).

link
jacooper 1399 days ago
But that's using Slirp, which has its own problems.
link
eriksjolund 1398 days ago
Ok, I understand your concern about Slirp.

Regarding the other idea: I've now tested it and verified that it works. The remote address is available when running a socket-activated container with rootless Podman.

link
hda111 1401 days ago
Docker can’t really support Socket Activation for containers because it is build around the docker daemon that fulfills similar tasks as systemd. They could only copy the concept to dockerd.
link
parasense 1401 days ago
Yeah, Docker the company is funky.

Docker the software is also funky.

link
the8472 1401 days ago
That's neat and quite a unixy solution but still fairly limiting. Are there any plans for a hybrid solution where most of podman runs as non-root via userns but invokes a suid helper to setup the network?
link
eriksjolund 1401 days ago
Not exactly what you are asking for but there is a Systemd feature request to add Connect= setting to service unit files. https://github.com/systemd/systemd/issues/23067#issuecomment... (That could a be cool feature)

Also interesting would be to fix the security considerations of using bypass4netns:

"However, it is probably possible to connect to host loopback IPs by exploiting TOCTOU of struct sockaddr * pointers."

There seems to be an implementation idea for how the problem could be fixed:

https://github.com/rootless-containers/bypass4netns/issues/2...

link
encryptluks2 1401 days ago
Podman 4 supports netavark which to my understanding should solve a lot of the networking issues with slirp4netns
link
fignews 1401 days ago
Not for rootless containers unless there’s a development I’m unaware of.
link
encryptluks2 1401 days ago
Yeah it works for rootless now too or at least that is my understanding.
link
emptysongglass 1401 days ago
Does this work in systemd-less distros like the most common WSL2 ones? I tried to fake Podman to use in a devcontainer but it complained of a missing `/var/run/docker.sock`.
link