Here's why podman is more secured than Docker - DevSecOps

Here's why podman is more secured than Docker - DevSecOps

We all know that Docker is one of the popular tool for containerizing an application in devops world.

but, In this article we will see about podman and why it is more secured way to run container.

Podman is a daemonless container engine for developing,managing and running container in linux system.

Audit Logging

Linux system stores the user account information in a file called /etc/shadow. it is a common security file to watch in a linux systems.

Linux kernel allows administrators to watch for the processes that modifies the file and keep a record of it in audit.log.

administrators wants to know if any process modifies the file from the log.

1auditctl -w /etc/shadow

this command will add the /etc/shadow file to the audit system.

let's modify the /etc/shadow file and see what happens

1touch /etc/shadow
1ausearch -f /etc/shadow -i -ts recent

Screenshot 2019 10 09 at 12 08 35 AM

audit record will show lots of information about the process and owner of the process audit UID(auid) who modified the /etc/shadow file

Login UID in linux kernel

there is a file called loginuid stored in /proc/self/loginuid. this file is a part of proc structure in linux. this file can be set only once.

after it is set, the kernel will not allow any process to reset it.

When I log into the system, the login program sets the loginuid field for my login process.

Screenshot 2019 10 09 at 12 32 48 AM

My UID was 1000.

Even if i change to root, my loginUID will be the same. 1000

Important thing to note here is that every process that fork and execute from the initial process will have the same loginuid.that is how kernel knew about the user information.

How it works in containers

let's try to run the same process in podman and docker containers

Screenshot 2019 10 09 at 1 14 48 AM

Now, we will check it with docker

Screenshot 2019 10 09 at 1 20 31 AM

Hmm, Interesting... why is the loginuid is different for docker and same for podman.

The Reason

So, if you remember carefully. i said some important keyword called fork and execute. let's discuss about it here .

podman uses a fork/exec model for the container, So the container process is the child of podman process. whereas, docker uses a client/server model.

docker cs

docker uses a cli which communicates with docker daemon via a client/server operation.

Then the docker daemon creates a container and handles communications of stdin/stdout back to the docker client tools.

So the default loginuid of podman container still the same(1000) whereas, docker default loginid of processes(before their loginuid is set) is 4294967295.

Since the container is an child of the docker daemon and docker daemon is the child of init system.

What could go wrong?

Let's see what happens if a container process created by docker modifies the /etc/shadow file.

Screenshot 2019 10 09 at 1 20 31 AM 1

Screenshot 2019 10 09 at 1 20 38 AM

you can see the uid as unset in the case of docker. this means the administrator will know that the /etc/shadow is modified . but, admin will never know who modified that file.

if that hacker removes the docker container, then there would be no trace on the system of who modified the /etc/shadow file.

Now, Let's look at the exact same scenario for Podman.

1sudo podman run --privileged -v /:/host fedora touch /host/etc/shadow
1sudo ausearch -f /etc/shadow -i

Screenshot 2019 10 09 at 12 08 35 AM 1

Podman records the process which modifies the file correctly since it uses traditional fork/exec model.

Here's why podman is more secured than Docker - DevSecOps. Using Podman for launching containers allows you to maintain better security though audit logging.

The auditing system is very powerful for watching what processes do on a system.

Reference : https://opensource.com/article/18/10/podman-more-secure-way-run-containers

To Read More

I Accidentally wiped the entire dat...

One of the tragic accident in my job turned out to be good learning for me in re...

List of Docker Container Commands y...

This article covers list of commands that you should know to manage docker conta...

Everything you need to know about d...

Docker volume is a persistent data storage mechanism to store the data in docker...