« All posts

Rootless Edge Deployments: Daemonless CI/CD with Podman and Buildah

Mounting a root Docker socket in CI/CD pipelines with hardware access is a major risk. Podman and Buildah's rootless, daemonless design mitigates it.

Mounting Docker's root-owned daemon socket (/var/run/docker.sock) directly into CI/CD runners is a serious supply-chain risk, especially in pipelines touching IIoT, SCADA, or edge AI hardware. A compromised runner can escalate to full host root with a single API call, and CVE-2024-21626 ('Leaky Vessels'), disclosed in January 2024, proved this isn't theoretical: a file-descriptor leak in runc let a malicious image escape the container and reach the host filesystem.

Podman and Buildah sidestep this failure class by dropping the always-on daemon for a fork-exec model: each command talks to the kernel through an OCI runtime (crun/runc) and exits when done, leaving no persistent API socket. Their rootless mode relies on Linux user namespaces, mapping an unprivileged host user to what looks like root inside the container — any process breaking out gets mapped back to its real, low-privilege host UID. Even if the same runtime bug is exploited, the attacker lands as a limited service account, not root.

Making this work requires correctly provisioning subordinate UID/GID ranges in /etc/subuid and /etc/subgid, which infrastructure-as-code-created service accounts still need verified explicitly. Storage has evolved too: rootless containers long depended on the performance-costly fuse-overlayfs, but Linux kernel 5.13 made native overlay mounts safe for unprivileged users, and Podman now prefers native overlay whenever the kernel supports it.

The takeaway: in pipelines with a path to physical hardware, sharing a rootful Docker socket is an unacceptable blast-radius risk, and Podman/Buildah's daemonless, namespace-based architecture gives engineers a concrete way to contain runtime vulnerabilities before they reach the host.

» SourceDev.to