I’m trying to get rootless podman to run adguard home on Debian 12. I run the docker-compose.yml
file via podman-compose up -d
.
I get errors that I cannot google successfully, sadly. I do occasionally see shards of people saying things like “I have adguard running with rootless podman” but never any guides. So tantalizing.
I have applied this change so rootless can yoink port 53:
sudo nano /etc/sysctl.conf
net.ipv4.ip_unprivileged_port_start=53 # at end, required for rootless podman to be able to do 53
(Do I even need that change with a macvlan?)
The sticking point seems to be the macvlan. I want a macvlan so I can host a PiHole as a redundant fallback on the same server. I error with:
Error: netavark: Netlink error: No such device (os error 19)
and that error really gets me no where searching for it. I am berry sure the ethernet connection is named enp0s10
and spelled right in the docker-compose file, cause I copied and pasted it in.
I tried forcing the backend to “CNI” but probably did it wrong, it complained about:
WARN[0000] Failed to load cached network config: network dockervlan not found in CNI cache, falling back to loading network dockervlan from disk
WARN[0000] 1 error occurred:
* plugin type="macvlan" failed (delete): cni plugin macvlan failed: Link not found
(I also made a /etc/cni/net.d/90-dockervlan.conflist
file for cni but it didn’t seem to see it and I couldn’t muster how to get it to see it)
Both still occur if I pre-make the dockervlan
with:
podman network create -d macvlan -o parent=enp0s10 --subnet 10.69.69.0/24 --gateway 10.69.69.1 --ip-range 10.69.69.69/32 dockervlan
And adjust the compose file’s networks: call to:
networks:
dockervlan:
external: true
name: dockervlan
Has anyone succeeded at this or done something similar?
docker-compose.yml
:
version: '3.9'
# --- NETWORKS ---
networks:
dockervlan:
name: dockervlan
driver: macvlan
driver_opts:
parent: enp0s10
ipam:
config:
- type: "host-local"
- dst: "0.0.0.0/0"
- subnet: "10.69.69.0/24"
rangeStart: "10.69.69.69/32" # This range should include the ipv4_address: in services:
rangeEnd: "10.69.69.79/32"
gateway: "10.69.69.1"
# --- SERVICES ---
services:
adguardhome:
container_name: adguardhome
image: docker.io/adguard/adguardhome
hostname: adguardhome
restart: unless-stopped
networks:
dockervlan:
ipv4_address: 10.69.69.69# IP address inside the defined dockervlan range
volumes:
- '/home/${USER}/server/configs/adguardhome/work:/opt/adguardhome/work'
- '/home/${USER}/server/configs/adguardhome/conf:/opt/adguardhome/conf'
#- '/home/${USER}/server/certs/example.com:/certs # optional: if you have your own SSL certs
ports:
- '53:53/tcp'
- '53:53/udp'
- '80:80/tcp'
- '443:443/tcp'
- '443:443/udp'
- '3000:3000/tcp'
podman 4.3.1
podman-compose 1.0.6
Getting a newer podman-compose is pretty easy peasy, idk about newer podman if that’s needed to fix this.
You can get similar security in rootful mode, by making sure within the container the adguard binary is not running as root.
I see, I’ll check that out and also check out how to ascertain that lol
Does that “similar security” still count if the image is hacked? Since the capability for “real” root is there.
In both cases of rootless and rootful-with-non-root process your process is running as a non-root user with respect to the host.
To break out the container will require two steps. First, adguard itself must be exploited. A second exploit is then required elevate privileges from the adguard user to root.
If your attacker successfully gets that far, then having a rootless container would matter, because in a rootful container, root in the container equals root on the host. In a rootless container, “root” only gives you the abilities of the user running the rootless container.
But as you’ve found, rootless containers can be a pain.
Making sure your container is running as non-root user in a rootful container is better than giving up.
Thank you for the in-depth explanation!! I’ll keep this in mind as I try to club my way through podman!