WingNews logo WingNews
top | item 43685992

(no title)

eriksjolund | 10 months ago

Podman quadlet supports "Socket activation of containers" https://github.com/containers/podman/blob/main/docs/tutorial... This allows you to run a network server with `Network=none` (--network=none). If the server would be compromised, the intruder would not have the privileges to use the compromised server as a spam bot. There are other advantages, such as support for preserved source IP address and better performance when running a container with rootless Podman + Pasta in a custom network.

discuss

order

anonfordays|10 months ago

What's old is new again. That's effectively how inetd worked circa 1986. The inetd daemon had some serious security vulnerabilities so the world move away from using "socket activated daemons" to having always listening services (performance reasons as well).

rendaw|10 months ago

I never understood the use case for socket activation - is someone really running a web server that mixed workloads, long periods with no network traffic you'd rather prioritize something else, and a web server that's so resource intensive when not handling events it makes sense to stop it? Maybe desktop computers?

The security aspect is something new to me and I'm not sure if that applies to inetd/systemd socket services or if it's specifically a container thing.

Does anyone have more info on use cases for this?

thwarted|10 months ago

inetd supported "socket activation" using the "wait" directive, where inetd would listen on the socket and then hand off the listening socket when there was activity as fd 0 where the server would need to call accept, and could continue to call accept for new connections, or exit when all clients were handled, and inetd would respawn when there was new pending connection on the listening socket.

infogulch|10 months ago

That's neat. Does it require 1 connection = 1 process to work? I don't see how you can have a long running server with this feature.

xyzzy_plugh|10 months ago

No, the init process hands over the listener FD allowing the server to accept() connections.

You can also do 1 connection = 1 process, though, but it's absolutely not required nor particular common these days.