Rootless podman with SELinux

[leonidas-o]

OS Rocky Linux 9.5 (Blue Onyx)
podman-compose version 1.3.0
podman version 5.2.2

I managed to deploy Wazuh on a rootless podman setup with just little modifications. I would like to share it, also in hope that these modifications will be incorporated, as they shouldn't introduce a breaking change. With further testing, this could lead to official rootless podman support.

System setup

# as root
vi /etc/sysctl.conf
# add the follwing line
# vm.max_map_count=262144
reboot
# check if updated
sysctl -a |grep vm.max_map_count
# install new packages
dnf upgrade
dnf install podman python3-pip netavark aardvark-dns
vi /usr/share/containers/containers.conf # set network_backend = "netavark"

# The systemd user instance is killed after the last session for the user is closed. 
# The systemd user instance can be started at boot and kept running even after the 
# user logs out by enabling lingering using
loginctl enable-linger myuser

# as regular user
pip3 install --user podman-compose
pip3 install --upgrade podman-compose pip
sudop mkdir -p /opt/wazuh
sudo chown -R myuser:mygroup /opt/wazuh
cd /opt/wazuh
# as root
restorecon -vv -F -r /

Unprivileged Ports

sudo su -
# if needed to bind to ports < 1024, will be reset after reboot!
echo 443 > /proc/sys/net/ipv4/ip_unprivileged_port_start
# if needed permanently
echo "net.ipv4.ip_unprivileged_port_start=443" >> /etc/sysctl.conf

ulimit -aH
ulimit -aS
vi /etc/security/limits.conf
# Exit and re-login from the terminal for the change to take effect.

#<domain>      <type>  <item>         <value>
...
myuser        hard    memlock         -1
myuser        hard    nofile          655360

Firewall on VM

sudo su -
firewall-cmd --list-all
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload
firewall-cmd --list-all

Initial Deployment

podman-compose --in-pod=true up -d without file changes:

cp: cannot create regular file '/certificates/admin-key.pem': Permission denied
cp: cannot create regular file '/certificates/admin.pem': Permission denied
cp: cannot create regular file '/certificates/root-ca.key': Permission denied
cp: cannot create regular file '/certificates/root-ca.pem': Permission denied
...

Modifications

add :z to generate-indexer-certs.yml bind mounts:

...
    volumes:
      - ./config/wazuh_indexer_ssl_certs/:/certificates/:z
      - ./config/certs.yml:/config/certs.yml:z

also add :z to all bind mounts inside docker-compose.yml (for nginx bind mounts :ro,z)

Final Deployment

podman-compose --in-pod=true up -d

Everything should come up as usual.

[c-bordon]

Hello, thank you for your contribution. We will analyze what was proposed and try to incorporate the changes for our version 5.0.0.

[leonidas-o]

@c-bordon no thank you! I submitted a PR: #1834
Wazuh manager in rootless podman seems to work so far.

FYI: I'm looking into the agent right now. The plan is to create a daemonSet for Openshifts restricted env. The idea is to have a rootless image based on rockylinux:9-ubi-micro. Will see how that works out, so far SETGID cap is causing some issues.