← Back to team overview

maria-discuss team mailing list archive

Re: demo: running MariaDB with rootless Podman and socket activation

 

On Mon, Feb 14, 2022 at 6:37 PM Erik Sjölund <erik.sjolund@xxxxxxxxx> wrote:
>
> Hi Daniel,
> Thanks for the feedback.
>
> On Thu, Feb 10, 2022 at 4:40 AM Daniel Black <daniel@xxxxxxxxxxx> wrote:
> > There's some really powerful concepts with unix_socket auth across
> > into the container if you get the uid mapping, try to map the local %u
> > (uid - %U) to the mysql(999) user (or another user and start the
> > container with --user).
> > You'll probably need to add a user to the container. With that you'll
> > have a unix socket auth based mechanism in the container directly.
> > Also the current container entrypoint avoids creating unix socket auth
> > users (until very recently in a limited way
> > https://github.com/MariaDB/mariadb-docker/pull/409). Maybe its too
> > fiddly however to get right.


Nice!

> I've recently submitted a PR
> https://github.com/containers/podman/pull/13084/files
> to the Podman project that adds two troubleshooting
> tips regarding UID/GID mapping.
> They describe how to run the container with a non-root user
> inside the container but mapped to the regular UID/GID on the host.

Nice read. Thanks. The implied user but defaulting to root nature of
the mariadb container with gosu took a bit to get used to. Some sane
mapping rules help thanks.

> As the PR has not yet been approved,

now approved I see.

> I had an idea regarding "unix_socket authentication":
> Permissions could be granted to specific Unix sockets by
> using FileDescriptorName

interesting. The "extra" is used as a FDName for extra sockets but its
a generally unexplored space.

> If the permissions are given to a specific Unix socket, a sysadmin could
> create multiple Unix sockets with different levels of permissions. There
> would be no need to rely on
>
> "calling the getsockopt system call with the SO_PEERCRED socket option,
> which allows it to retrieve the uid of the process that is connected
> to the socket."
> quote from
> https://mariadb.com/kb/en/authentication-plugin-unix-socket/#is-it-secure

If you've got a good general use case, write a https://jira.mariadb.org task.

> A sysadmin could instead protect the Unix socket from unauthorized access
> by using normal file and directory permissions.

MySQL's implementation also extends by using the "AS ..." syntax to
extend coverage to one other user.
https://dev.mysql.com/doc/refman/8.0/en/socket-pluggable-authentication.html#socket-pluggable-authentication-usage

> > If conmon acts a true passthough maybe the same option is needed. I
> > guess try with some invalid configuration.

seems there are some conman aspects I need to understand more.


References