CoreOS Hardening

fedhex · October 20, 2022, 3:08am

I have not seen specific hardening advice, focusing on Fedora CoreOS. Is Fedora CoreOS already hardened enough by default ? (there is a lonely note recommending to mask the docker.service so it is not accidentally socket-activated, but other than that …)

There are plenty of hardening guides for Linux servers, of varying degrees of detail and obsolescence.

Some of the recommendations are very old and quite general, applying to any kind of software. Pretty much any guide will tell you to regularly apply security updates (at this point in time this should be simply put in the in the “duh!” category). Then it’s another classic: reduce the attack surface by keeping only the essential services and components running/installed.

CoreOS already covers these two as part of its design, and there is much more, locked accounts with no passwords, with a focus on key-based ssh access and so on.

On top of that comes the discussion about containers. Again, many guides never fail to mention that people should not be lulled into a sense of false security just because they run things in containers and not directly on the host system. At that point in the discussion usually there is a natural segue into the often given advice to use “rootless” containers – so to try to run containers as non-root – moment when maybe podman gets talked about.

To stir the pot, add some performance considerations into the mix and you get the ingredients of a spirited debate that can go on for a very long time, without much end in sight.

Yes, it is a big and complex subject and there are no silver bullets. There should be no expectations that it can be fully and decidedly solved.

So without going into too much detail, any particular advice applying to CoreOS hardening, with a focus on standalone usage ?

Thanks.

mattdm · October 20, 2022, 9:29am

This is a complicated topic. As the joke goes… the strongest way to harden a system — Fedora CoreOS or otherwise — is to put it in a lead box, lock the lead box, throw away the key, drop the lead box into the bottom of the ocean, and then hurl the entire Earth into the sun. Everything short of that is compromise in some way or another.

In other words, it’s not really that it’s a problem that can’t be fully solved, but that it’s a problem that doesn’t have any single solution. It’s best to think about threats and risks. Where are you running the system? What is it doing? Where are the exposure points? Who needs to have access? What kind of access? What things must not be accessed, and by whom? If that fails, what are the consequences?

We do have a lot of security features in play — many of them advantages that other operating systems don’t have. In addition to rootless containers, the default SELinux policy offers another layer of protection.

jakfrost · October 20, 2022, 1:47pm

Hello @fedhex ,
Are you talking about using FCOS as a desktop single user system? If that is the case, I would strongly recommend using Silverblue or Kinoite as the base starting point as they too employ the security features @mattdm has mentioned in his response, but they are geared to the single system/single user ootb, whereas FCOS is more hands on at the installation phase and a fairly steep learning curve for the average user. It is (FCOS) meant as a server of containerized workloads, I think. As well, they (Silverblue and Kinoite) are created via a declarative set of files, they just don’t use the same build tools as FCOS at this time. Daemonless container management is generally more secure than using the traditional method with a daemon such as Docker, which can now too run containers without a daemon. The real security rub with containers would come down to what you chose to expose to it of the host system, and how. Podman switched from runc to crun, which is more secure I think.

fedhex · October 20, 2022, 2:34pm

@mattdm, thank you for the response.

True, the solution space is huge. Indeed, and what you are describing, any solution (or path towards a solution) should be framed with a specific threat model. That starts with a foundation: what exactly is attacked; in this case, how would a CoreOS install look like …

The crucial thing is the balance between security and convenience; as you said, you can harden a system so well that the convenience becomes 0, or a joke (the ping times accessing that box in the middle of the sun must be atrocious … yes, thank you, I’ll be working remotely). There must be some convenience built into the model, otherwise it’ll be too hard to use. And the optimization is to make at least any compromise a convenience. (conveniences such as ssh key access that are also a big security improvement are rare)

I can see some things that CoreOS does trying to strike a balance between the two. What I was dreaming of is to get a good picture of where was a security decision, where was a convenience decision.
Maybe I can take the pain in trading off some clear convenience for more security, if is really worth it.
But I’ll be thinking twice++ of reducing security for extra convenience: unless I have some super-deep understanding of what is going on, I would rather trust CoreOS and its designers to do the right thing instead.
So, deciding what to leave as it is and what to customize and how much.

An example of the small, early decisions to be made – but they could end up later on steer significantly the direction of the whole architecture.
Take for example the default regular user account. It’s clear a lot of care has been used in setting it up. No default password login, you can simply add a ssh key and you’re good to go. Security! On the other hand, core is in %sudo in sudoers (or something to that effect), so no authentication with sudo. Convenience!

Is it worth setting a password on the default account and have sudo authenticate you ? (or, more extreme, set up an entirely new user… then make sure the account does still not allow password logins…) A lot of system administration will become more inconvenient and arbitrary automation, especially through ssh, will suffer (or at least it will require setting up a fixed list of NOPASSWD scripts … )

Then let’s pin some variables, an attempt to narrow down a mythical “minimal common” case. Single-node install. These days, some form of cloud install. Multiple containers, some having ports exposed to public access; others, not publicly exposed; both might have some sort of privately accessible communication channel that you can tunnel to. In the first category, some kind of server, most likely a web server. In the second, stuff like a database (now that I describe all this, starts to sound like a frontend and a backend…).

Given this fairly common layout, there is another major fork in the road: rootful or rootless containers. I am also focusing just on podman here, since I understood docker has some wrinkles with rootless.
There is smooth convenience running rootful: add the unit in the ignition. Done.
For rootless, there is more friction: user-level systemd units are more complicated to create, assuming that you will do all the container related setup from inside one of them. Or there is an idiomatic way to start with system units and switch to a certain user/group inside (User=, Group=); maybe I have not got deep enough down the systemd docs rabbit hole to find out.
Does the convenience biased towards rootful amount to an admission that rootful is OK enough and not the “OMG, run-don-t-walk-away-from-it” that many container articles seem to imply ? (again, in the context of podman)

And despite the advances in the convenience of running rootless, there are still limitations that sometimes pop up, usually late during the design or, worse, testing process. If you hit a wall at that point, going back and re-arranging everything to run rootful turns the rootless attempt into wasted effort.

I got a lesson in this kind of outcome when trying to change some default CoreOS settings: many hardening guides recommend moving the sshd from listening on the default port to something else. The advice is controversial, the critics’ point being that you basically decrease convenience for negligible increase in security through obscurity. Just in case, as an experiment, I tried it. It turned out that is not possible due to SELinux settings (it can be done, but in very ugly, inelegant ways), so I gave up and stuck with the default.

This is the kind of advice that would be useful: is this just a limitation of the current way of applying ignition settings or it is considered not worth supporting such an use case and the sshd on the default is the way to go ?

I guess I’ll stop here, this is already getting really long.

fedhex · October 20, 2022, 2:43pm

Thanks for the advice @jakfrost !
I am aware of Silverblue, etc. but I am talking about servers here, not desktop.

jakfrost · October 20, 2022, 4:11pm

Excellent then, FCOS is indeed the beast you want.

bgilbert · October 21, 2022, 4:04am

FWIW, system administration and arbitrary automation are discouraged on Fedora CoreOS. You can do them, of course, but we recommend reconfiguring machines by updating the Ignition config and reprovisioning.

I’d say no, rootless is preferred even though it’s less convenient. We haven’t yet put a lot of work into optimizing the container workflow (odd, I know) since users often bring their own container orchestration.

As sometimes happens, it’s a combination of features colliding with each other. It’d be good to fix this (and we’d welcome help doing so) but unfortunately there are nontrivial unsolved problems there.

One specific note on hardening: it’s good practice to ensure that untrusted services on the machine cannot read the Ignition config. On virtualization platforms this isn’t generally a problem, but some cloud providers serve the Ignition config from a metadata service that’s accessible from containers unless you firewall it or delete the config.

(Ideally you wouldn’t put secrets in the Ignition config, and would keep them in a separate secret store instead. Setting that up in a secure way isn’t necessarily trivial, though, and we don’t have any guides for it.)

eriksjolund · November 20, 2022, 12:57pm

Not yet, but there is a feature request for it in the Podman GitHub project:

github.com/containers/podman

support User= in systemd for running rootless services

opened 01:12PM - 09 Jan 22 UTC

closed 09:28PM - 02 Nov 23 UTC

Gchbg

kind/bug

**Is this a BUG REPORT or FEATURE REQUEST?** /kind bug **Description** …I want to have a systemd system service that runs a rootless container under an isolated user, but systemd rejects the sd_notify call and terminates the service. ``` Got notification message from PID 15150, but reception only permitted for main PID 14978 ``` A similar problem was menitoned but not resolved in #5572, which seems to have been closed without a resolution. Happy to help tracking this down. **Steps to reproduce the issue:** 1. Start with a Debian testing system. Create a system user with an empty home dir, and enable lingering: ``` groupadd -g 200 nginx useradd -r -s /usr/sbin/nologin -l -b /var/lib -M -g nginx -u 200 nginx usermod -v 165536-231071 -w 165536-231071 nginx mkdir -m 770 /var/lib/nginx nginx:nginx /var/lib/nginx loginctl enable-linger nginx ``` 2. Use this unit file, adapted from `podman generate systemd --new`: ``` ❯ cat /etc/systemd/system/nginx.service [Unit] Description=Nginx Wants=network-online.target After=network-online.target [Service] WorkingDirectory=/var/lib/nginx User=nginx Group=nginx Environment=PODMAN_SYSTEMD_UNIT=%n Restart=no TimeoutStopSec=70 Type=notify NotifyAccess=all ExecStartPre=/bin/rm -f %T/%N.ctr-id ExecStart=/usr/bin/podman run --cidfile=%T/%N.ctr-id --replace --rm -d --sdnotify=conmon --cgroups=no-conmon --name nginx nginx:mainline ExecStop=/usr/bin/podman stop --cidfile=%T/%N.ctr-id -i ExecStopPost=/usr/bin/podman rm --cidfile=%T/%N.ctr-id -f -i KillMode=none [Install] WantedBy=default.target ❯ sudo systemctl daemon-reload ``` 3. Start the unit: ``` ❯ sudo systemctl start nginx ``` **Describe the results you received:** ``` Jan 09 14:54:00 Cubert systemd[1]: /etc/systemd/system/nginx.service:24: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed. Jan 09 14:54:00 Cubert systemd[1]: Starting Nginx... Jan 09 14:54:00 Cubert systemd[14978]: Started podman-15150.scope. Jan 09 14:54:00 Cubert podman[15150]: Resolving "nginx" using unqualified-search registries (/etc/containers/registries.conf) Jan 09 14:54:00 Cubert podman[15150]: Trying to pull docker.io/library/nginx:mainline... Jan 09 14:54:03 Cubert podman[15150]: Getting image source signatures Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:a0bcbecc962ed2552e817f45127ffb3d14be31642ef3548997f58ae054deb5b2 Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:a2abf6c4d29d43a4bf9fbb769f524d0fb36a2edab49819c1bf3e76f409f953ea Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:a9edb18cadd1336142d6567ebee31be2a03c0905eeefe26cb150de7b0fbc520b Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:589b7251471a3d5fe4daccdddfefa02bdc32ffcba0a6d6a2768bf2c401faf115 Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:186b1aaa4aa6c480e92fbd982ee7c08037ef85114fbed73dbb62503f24c1dd7d Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:b4df32aa5a72e2a4316aad3414508ccd907d87b4ad177abd7cbd62fa4dab2a2f Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:589b7251471a3d5fe4daccdddfefa02bdc32ffcba0a6d6a2768bf2c401faf115 Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:a0bcbecc962ed2552e817f45127ffb3d14be31642ef3548997f58ae054deb5b2 Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:a9edb18cadd1336142d6567ebee31be2a03c0905eeefe26cb150de7b0fbc520b Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:b4df32aa5a72e2a4316aad3414508ccd907d87b4ad177abd7cbd62fa4dab2a2f Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:a2abf6c4d29d43a4bf9fbb769f524d0fb36a2edab49819c1bf3e76f409f953ea Jan 09 14:54:03 Cubert podman[15150]: Copying blob sha256:186b1aaa4aa6c480e92fbd982ee7c08037ef85114fbed73dbb62503f24c1dd7d Jan 09 14:54:12 Cubert podman[15150]: Copying config sha256:605c77e624ddb75e6110f997c58876baa13f8754486b461117934b24a9dc3a85 Jan 09 14:54:12 Cubert podman[15150]: Writing manifest to image destination Jan 09 14:54:12 Cubert podman[15150]: Storing signatures Jan 09 14:54:12 Cubert podman[15150]: Jan 09 14:54:12 Cubert podman[15150]: 2022-01-09 14:54:12.101247642 +0200 EET m=+11.607938154 container create 7c7de83a412558d9ef53592734d3a52df9eecf331f696acfcdaac0ce33cf4c2a (image=docker.io/library/nginx:mainline, name=nginx, maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>, PODMAN_SYSTEMD_UNIT=nginx.service) Jan 09 14:54:12 Cubert systemd[14978]: Started libcrun container. Jan 09 14:54:12 Cubert podman[15150]: 2022-01-09 14:54:00.536382139 +0200 EET m=+0.043073791 image pull nginx:mainline Jan 09 14:54:12 Cubert systemd[1]: user@200.service: Got notification message from PID 15150, but reception only permitted for main PID 14978 Jan 09 14:54:12 Cubert podman[15150]: 2022-01-09 14:54:12.141137063 +0200 EET m=+11.647827815 container init 7c7de83a412558d9ef53592734d3a52df9eecf331f696acfcdaac0ce33cf4c2a (image=docker.io/library/nginx:mainline, name=nginx, PODMAN_SYSTEMD_UNIT=nginx.service, maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>) Jan 09 14:54:12 Cubert systemd[1]: user@200.service: Got notification message from PID 15150, but reception only permitted for main PID 14978 Jan 09 14:54:12 Cubert podman[15150]: 2022-01-09 14:54:12.145611861 +0200 EET m=+11.652302766 container start 7c7de83a412558d9ef53592734d3a52df9eecf331f696acfcdaac0ce33cf4c2a (image=docker.io/library/nginx:mainline, name=nginx, PODMAN_SYSTEMD_UNIT=nginx.service, maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>) Jan 09 14:54:12 Cubert podman[15150]: 7c7de83a412558d9ef53592734d3a52df9eecf331f696acfcdaac0ce33cf4c2a Jan 09 14:54:12 Cubert conmon[15215]: /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration Jan 09 14:54:12 Cubert conmon[15215]: /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ Jan 09 14:54:12 Cubert conmon[15215]: /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh Jan 09 14:54:12 Cubert conmon[15215]: 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf Jan 09 14:54:12 Cubert conmon[15215]: 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf Jan 09 14:54:12 Cubert conmon[15215]: /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh Jan 09 14:54:12 Cubert conmon[15215]: /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh Jan 09 14:54:12 Cubert conmon[15215]: /docker-entrypoint.sh: Configuration complete; ready for start up Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: using the "epoll" event method Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: nginx/1.21.5 Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6) Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: OS: Linux 5.15.0-2-amd64 Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 524288:524288 Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: start worker processes Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: start worker process 26 Jan 09 14:54:12 Cubert systemd[14978]: Started podman-15271.scope. Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: signal 3 (SIGQUIT) received, shutting down Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 26#26: gracefully shutting down Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 26#26: exiting Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 26#26: exit Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: signal 17 (SIGCHLD) received from 26 Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: worker process 26 exited with code 0 Jan 09 14:54:12 Cubert conmon[15215]: 2022/01/09 12:54:12 [notice] 1#1: exit Jan 09 14:54:12 Cubert podman[15299]: 2022-01-09 14:54:12.393064442 +0200 EET m=+0.052274069 container remove 7c7de83a412558d9ef53592734d3a52df9eecf331f696acfcdaac0ce33cf4c2a (image=docker.io/library/nginx:mainline, name=nginx, PODMAN_SYSTEMD_UNIT=nginx.service, maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>) Jan 09 14:54:12 Cubert podman[15271]: 7c7de83a412558d9ef53592734d3a52df9eecf331f696acfcdaac0ce33cf4c2a Jan 09 14:54:12 Cubert systemd[14978]: podman-15150.scope: Consumed 7.547s CPU time. Jan 09 14:54:12 Cubert systemd[1]: nginx.service: Failed with result 'protocol'. Jan 09 14:54:12 Cubert systemd[1]: Failed to start Nginx. ``` **Describe the results you expected:** Nginx runs until the end of time. **Output of `podman version`:** ``` Version: 3.4.4 API Version: 3.4.4 Go Version: go1.17.5 Built: Thu Jan 1 02:00:00 1970 OS/Arch: linux/amd64 ``` **Output of `podman info --debug`:** ``` host: arch: amd64 buildahVersion: 1.23.1 cgroupControllers: - memory - pids cgroupManager: systemd cgroupVersion: v2 conmon: package: 'conmon: /usr/bin/conmon' path: /usr/bin/conmon version: 'conmon version 2.0.25, commit: unknown' cpus: 1 distribution: distribution: debian version: unknown eventLogger: journald hostname: Cubert idMappings: gidmap: - container_id: 0 host_id: 200 size: 1 - container_id: 1 host_id: 165536 size: 65536 uidmap: - container_id: 0 host_id: 200 size: 1 - container_id: 1 host_id: 165536 size: 65536 kernel: 5.15.0-2-amd64 linkmode: dynamic logDriver: journald memFree: 1015083008 memTotal: 2041786368 ociRuntime: name: crun package: 'crun: /usr/bin/crun' path: /usr/bin/crun version: |- crun version 0.17 commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL os: linux remoteSocket: exists: true path: /run/user/200/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: 'slirp4netns: /usr/bin/slirp4netns' version: |- slirp4netns version 1.0.1 commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4 libslirp: 4.6.1 swapFree: 0 swapTotal: 0 uptime: 8h 1m 8.23s (Approximately 0.33 days) plugins: log: - k8s-file - none - journald network: - bridge - macvlan volume: - local registries: search: - docker.io store: configFile: /var/lib/nginx/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: {} graphRoot: /var/lib/nginx/.local/share/containers/storage graphStatus: Backing Filesystem: extfs Native Overlay Diff: "true" Supports d_type: "true" Using metacopy: "false" imageStore: number: 0 runRoot: /run/user/200/containers volumePath: /var/lib/nginx/.local/share/containers/storage/volumes version: APIVersion: 3.4.4 Built: 0 BuiltTime: Thu Jan 1 02:00:00 1970 GitCommit: "" GoVersion: go1.17.5 OsArch: linux/amd64 Version: 3.4.4 ``` **Package info (e.g. output of `apt list podman`):** ``` podman/testing,now 3.4.4+ds1-1 amd64 [installed] ``` **Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)** Yes and yes. **Additional environment details (AWS, VirtualBox, physical, etc.):** Machine is a VM.

idavy · May 4, 2024, 7:58am

Is there a list of all these features somewhere? I’ve tried to google it but failed

packelend · March 31, 2025, 6:00am

Hey there,
it might be off topic but Google shows it always top listed regardless how I put the question.

Are the above mentioned security settings of FCOS and docker vs podman the reason a docker containerized app is not allowed to creat files and folders on the host system?

Thank you
Stefan

Topic		Replies	Views
Launch FAQ: What is Fedora CoreOS? Project Discussion coreos-wg	3	2369	January 4, 2019
Out-of-the-box FCOS security Ask Fedora selinux , coreos	1	555	May 6, 2024
Fedora CoreOS Authoritive dns server Ask Fedora coreos , server	2	726	June 29, 2023
Future support for Wireguard Project Discussion coreos-wg	5	1179	January 31, 2020
Sell me on Atomic, CoreOS, Flatpaks, and Containers Ask Fedora flatpak , docker , gnome , nvidia , f39 , coreos , immutable , server , container , atomic-desktops	42	1701	November 4, 2024

CoreOS Hardening

Related topics