Cloudlinux 8 and rootless Podman

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • phjp
    Junior Member
    • Sep 2025
    • 4
    #1

    Cloudlinux 8 and rootless Podman

    Hi,

    We run CloudLinux 8.10 without control panel on pretty much all our hosting and it works great! However, I've been exploring running Podman as a non-root user on Cloudlinux and I'm running into undocumented errors that do not seem to happen on other OS, so I find myself at a loss.

    I'm trying to run Podman 4.9.4-rhel with runc 1.1.12 . I've created an user with cagefs disabled and set lve to unlimited. I am able to call podman and runc on the command line. However, when I try to start up a container, I get the following error:

    Error: OCI runtime error: runc: you have no read access to runc binary file
    runc create failed: unable to start container process: waiting for init preliminary setup: read init-p: connection reset by peer

    Afaik though, I DO have access to the runc binary from the user. While I've delved into strace log when booting the container, I haven't been able to find out what's exactly missing for runc to start properly. My best guess is that the error message is wrong and something else is blocking.

    So, I must ask, is rootless Podman compatible with CloudLinux? Or is there a security feature that fundamentally breaks rootless Podman?
    Tags: None
    • phjp
      Junior Member
      • Sep 2025
      • 4
      #2
      After further research, I've isolated a more telling error message : nsexec[15143]: could not ensure we are a cloned binary: Operation not permitted

      This seems to be related to runc's process of cloning itself into memory. Does Cloudlinux prevent the execution of binaries in memory?

        Comment

        • bogdan.sh
          Administrator
          • Nov 2016
          • 1252
          #3
          Hello,

          CloudLinux does not block the Podman/runc services itself, however, there is a big part of security parameters we adjust like ptrace block which could affect the services you are trying to run. Please try disabling it per https://docs.cloudlinux.com/cloudlin.../#ptrace-block .

            Comment

            • phjp
              Junior Member
              • Sep 2025
              • 4
              #4
              Hi,

              thank you for this information. I've checked and user_ptrace protection as well as kernel.yama.ptrace_scope are not enabled (kernel.user_ptrace and kernel.user_ptrace_self = 1, kernel.yama.ptrace_scope= 0 ). I realize this might not even be a cloudlinux issue in the end, but now I'm going to look further into kernel parameters if I find anything.

                Comment

                • viridio
                  Junior Member
                  • Sep 2025
                  • 2
                  #5
                  We are in the same boat, and built our own control panel for Cloudlinux instead of running cPanel or any other commercial panel. Since we are doing it this way, we dont have easy access to Redis securely. We are looking into running either Docker, Podman, or something else to get Redis working on a per user level that is secure. Did you get this figured issue figured out with podman?
                  As our plan is to use a container for each user running Redis and then push that socket from that container into the users virtual FS/cage. You can set docker to not use iptables and push a socket out of the container to the actual file system.

                  @bogdan.sh Is it possible to take a path like /tmp/redis/USERNAME/redis.sock and push it into the specifc user ? Maybe something in /etc/cagefs/cagefs.mp like /tmp/redis/%USERNAME/redis.sock

                  Although this script talks about running podman as the user, so would this some how work better: https://gist.github.com/juanje/de5dd...8b0d089e837e4a

                    Comment

                    • bogdan.sh
                      Administrator
                      • Nov 2016
                      • 1252
                      #6
                      viridio, phjp , Please explain the benefits of running Podman on CloudLinux. What are the hosting requirements, and what packages are you offering for your cstomers to meet those needs? CloudLinux is already a containerized technology that effectively splits resources between users.


                      The individual directories with Redis can be mounted per user using this article.

                        Comment

                        • phjp
                          Junior Member
                          • Sep 2025
                          • 4
                          #7
                          Originally posted by bogdan.sh
                          viridio, phjp , Please explain the benefits of running Podman on CloudLinux. What are the hosting requirements, and what packages are you offering for your cstomers to meet those needs? CloudLinux is already a containerized technology that effectively splits resources between users.
                          Docker offers ready made images that you can basically just deploy and run into a fairly secure environment. While Cloudlinux is great at isolating customers workload, it doesn't exactly do much in terms of easy software distribution and installation for anything that's more complicated than installing a package. My specific goal here is to run apache SOLR into its own user without having to do an install from root, but the ability to run any type of rootless container is a net plus no matter how you look at it.

                          Furthermore, running Docker images as user is something we get asked about by our customers quite often.

                            Comment

                            • viridio
                              Junior Member
                              • Sep 2025
                              • 2
                              #8
                              @bogdan.sh thanks for replying back. for us, The key is to use Redis in an easy way while making it secure per user. You have a KB article that kind of outlines how to use Redis using CageFS here but it still is insecure (it still uses shared storage for multiple websites) and we dont want to use redis ACL. cPanel uses containers to make Redis secure, but we dont use cPanel and neither does phjp as it appears. We need a way to offer it securely and running a Redis instance for each user pushing the socket for that instance into their cagefs file system would do this, and allow wordpress redis plugins to access it.

                              There are alternates it appears like what Kualo is doing here using KeyDB, and it appears it does not have any ACL either, so setting this up to be a redis compatible replacement that is secure on a per user level using CageFS would require the same thing as Redis, some way to run instances within the users account or getting that socket access to their specific instance outside their account. As KeyDB also uses a unix socket, so one for each user means that in the users file system it has to be unique and connecting to the correct instance for them, since there is no login/password.

                                Comment

                                Previous template Next
                                Working...

                                We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.

                                By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

                                I Agree