Scanning containers rootlessly
I advocate for podman
at work often, however there is hestancy by some to switch even when the company will soon stop providing licenses and they will have to.
One of the many sources of apprehension are around images that assume they are being run in a rootful docker environment and use /var/run/docker.sock
.
When seeing the error message that docker.sock
was not found they reasonably assume that they need docker in order to run the image.
I became interested in this and opted to test with Trivy as I had recently discovered it's ability to scan both container images and iac configurations. It reports this very same error, and I became determined to overcome this limitation.
The architectural differences between Podman and Docker
On a fairly modern Linux distribution your podman likely wont even be using the socket because it is daemonless. Instead of opening a remote socket, it speaks directly to systemd.
You can enable a socket for docker compatibility however:
systemctl enable --now podman.socket
This will expose a docker compatible socket at/run/user/$UID/podman/podman.sock
.
If you have issues check podman info
which will report the location of the socket and whether it's enabled.
Macos and Windows
Containers themselves are not a virtualization technology, rather they are Linux process managers working with PID Namespaces. Macos and Windows will never be able to natively run containers and instead run them within the podman machine
.
If you are using podman machine
on Macos or Windows, this socket will likely be enabled for you already.
Finally, we can scan any image we've pulled using the following:
podman run --rm --security-opt label=disable \
-v /var/run/user/$UID/podman/podman.sock:/var/run/docker.sock \
-v trivy_cache:/root/.cache aquasec/trivy image docker.io/hello-world
What do each of these options do?
-v /var/run/user/$UID/podman/podman.sock:/var/run/docker.sock
This volume mounts the compatibility socket in the same location docker stores it's default socket.--security-opt label=disabled
If your distro uses SELinux, this will stop it from blocking access to/var/run/user/$UID/podman/podman.sock
. This is good because access to this from within a compromised container is a security problem. More info-v trivy_cache:/root/.cache
This is unique to the Trivy image itself, as it stores a cache of it's image database in/root/.cache
.
Just like that you worked around an image that assumes it's running on docker! And we learned a lot about the architecture of different container runtimes. 🐋