The site is up!

I've been wanting to create this blog for a while now. Finally found the time to properly setup a VPS, install Podman, and get a Ghost container up and running.

Podman is really great, if you know what you are doing. Coming from the rootful world of Docker, I had to do a lot of reading on how rootless networking works, and the specific libraries Podman uses (Pasta).

One thing that a lot of tutorials don't really explain is that Podman can do BOTH rootless networking and rootful networking. Aardvark is their rootful networking stack library. So if you are trying to figure out what the heck is wrong with your rootless Podman container's networking, stick to tutorials and forum discussions that explicitly mention Pasta, lest you go down a deep rabbit-hole only to find out hours later you were applying advice for Aardvark to your Pasta networks.

By the way, if you are trying to run a reverse proxy in front of your containerized web servers (Ghost, Gitea, etc.), you will need to run your reverser proxy on your host networking stack (i.e. it will use Aardvark as its networking setup/config lib). Podman rootless containers can not talk to each other across user boundaries, so if you have your database running under one user, but your web server is running under another user, the only way for them to communicate with each other over a network connection is through the host network stack. This isn't as bad a security posture as you might think at first glance. You can still run your reverse proxy under it's very own user as a rootless container, but it just needs to be hooked up to the host network. This can be done rootlessly (sudo not required). I think the only thing you need to watch out for is, if your reverse proxy is using Unix sockets to communicate with everything behind it. If your reverse proxy is compromized, they will most likely be running as your reverse proxy user, which would give them access to any Unix sockets you have set file permissions on for that user. A good idea might be to have all communication with your reverse proxy and backend service happen over the network. This way (most of) your services will still do basic password authentication and stop any bad actors from accessing your services.

For example, if you are running Caddy as your reverse proxy under the user 'caddy', and your Ghost instance is running in a Podman container under the user 'ghost', in order to pass requests from Caddy to Ghost you simply need to have Caddy running on the host network, Ghost running on a rootless network (podman network create ghost-network), and have Ghost listen on whatever port it needs. This port is now accessible unidirectionally (host -> ghost-network). Now Caddy simple needs to pass requests off to 'localhost:{Ghost port #}. Just make sure to keep your Caddy image updated to cover up any recent exploits. You should be pretty secure.