VSHN.timer #17: Rootless Containers

4. Nov 2019

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

In this edition we are going to talk about building containers without falling in the root trap! This subject has been suggested by VSHNeer João Pinto, based on his research on the topic.

1. Let’s talk about the elephant in the room: the official Docker daemon currently requires root privileges. This causes a myriad of issues that block DevOps teams from reaching full potential and speed, including (but not limited to) the already complicated configuration of CI/CD pipelines. How can we solve this problem? It turns out that there is no need to run the container building process as sudo. We should be able to build containers without higher security privileges. Rootless Containers (home of the Usernetes project) has been tracking solutions to this problem since 2017, and contains a great recent presentation about the subject, embedded below for reference.


2. Since the Rootless Containers website started, Bazel, Kaniko, BuildKit, Buildah and Podman appeared in the scene. Daniel J. Walsh from Red Hat wrote a great introduction to Buildah and another for Podman. As explained in the Buildah Github repository, both Podman and Buildah have different, yet complementary, functions:


Buildah’s commands replicate all of the commands that are found in a Dockerfile. This allows building images with and without Dockerfiles while not requiring any root privileges. (…)
Podman specializes in all of the commands and functions that help you to maintain and modify OCI images (…) For building container images via Dockerfiles, Podman uses Buildah’s golang API and can be installed independently from Buildah.

3. One of the nice features of Podman is that it can be integrated with Ansible, thanks to ansible-bender. This article by Tomas Tomecek from Red Hat shows exactly how, but beware: some operations actually require root access. We’re not totally over our addiction to sudo, it seems.


4. But maybe we need to develop a new kind of container technology? This is what Nabla containers is all about: “a new approach to container isolation.” Nabla containers only allow seven specific systems calls to the Linux host kernel (read, write, exit_group, clock_gettime, ppoll, pwrite64, and pread64) while actively blocking all others, reducing the attack surface of compromised containers. For all other system calls, Nabla containers use “unikernel” techniques, in this case specifically the Solo5 environment. Incredible research!


5. The tool of the week is makisu, a “fast and flexible Docker image build tool designed for unprivileged containerized environments such as Mesos or Kubernetes.” Dockerfile-compatible and still under heavy development, the current version at the time of this writing is 0.1.12. This project is dragging lots of interest from the cloud-native app industry and we’re watching it closely.


Are you building your containers with any of these tools? Or are you still using good old docker build? Do you know of any other similar tools you would like to share with the community? Get in touch with us through the form at the bottom of this page, and see you next week for another edition of VSHN.timer.

Adrian Kosmaczewski

Adrian Kosmaczewski is in charge of Developer Relations at VSHN. He is a software developer since 1996, a trainer, and a published author. Adrian holds a Master in Information Technology from the University of Liverpool.

Contact us

Our team of experts is available for you. In case of emergency also 24/7.

Contact us