One of the cool things about separating the container runtimes into different tools is that you can start to combine them to help secure one other. An article by Daniel Walsh.
Until recently, most people were leaking the Docker socket into the container and then allowing the containers to do docker build. Giving people root access on the system or sudo without requiring a password is more secure than allowing access to the Docker socket.
The RedHat have built an example of what they think is the best way to run Buildah inside of a container and have made these container images public at quay.io/buildah.
The article is split into:
- Buildah setup
- Running Buildah inside a container
- Additional stores
Running Buildah within a container in Kubernetes/CRI-O or Podman, or even Docker is easy to do, and it can be done a much more securely then leaking in the docker.socket. Author have added a lot of flexibility with the image to allow you to run it in different ways depending on your security and performance needs. Nice read!
[Read More]