Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/evancarroll/container-perl

Run perl in a container with podman
https://github.com/evancarroll/container-perl

container perl perl5 podman secure

Last synced: about 1 month ago
JSON representation

Run perl in a container with podman

Host: GitHub
URL: https://github.com/evancarroll/container-perl
Owner: EvanCarroll
Created: 2022-06-24T20:20:06.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-06-27T03:11:18.000Z (over 2 years ago)
Last Synced: 2024-10-12T11:42:33.279Z (about 1 month ago)
Topics: container, perl, perl5, podman, secure
Language: Perl
Homepage:
Size: 8.79 KB
Stars: 7
Watchers: 3
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

`container_perl`
====

This is a wrapper around perl to recreate the environment in `podman`. What it
does is,

* Get the version of perl on the host, map it to an OCI image name.
* Get the current `@INC` on the host.
* Prepare a container that maps the host's `@INC` directories to the container
* Clobbers the `@INC` of the container perl with just the mapped dirs from the
host using [`libreplace`](https://metacpan.org/pod/libreplace).
* `exec`'s a copy of a Perl using Podman in a container as above.

Security
---

The goal of this program is to allow arbitrary code executation of perl within
the context of a secure user-namespace.

Example
====

```sh
container-perl -E 'say "Hello World"';
container-perl ./testfile.pl
```

For the purpose of the demo, [`testfile.pl`](./testfile.pl) outputs the UID. This will change when
run inside and outside of `container-perl` because user namespaces allow
perl running in the namespace to think it's root. While invoking this file with
regular perl will show it as the UID of the user.

Installation
====

Container perl requires,

* [usernamespaces enabled](https://unix.stackexchange.com/a/602409/3285)
* `podman` installed
* Perl 5's [`libreplace`](https://github.com/EvanCarroll/perl5-libreplace) installed

Notes
====

Currently, all the deps directory outside the directory are mounted read-only.
The working directory is mounted read-write.

Inspiration
----

The source of inspiration of this was [Brian Scannell's talk in The Perl
Conference 2022 on IDE and checking Perl
syntax](https://tprc2022.sched.com/event/11nfS/the-perl-navigator-code-intelligence-for-any-editor).
In that talk Brian puts forward two methods of dealing with the insecurity of
checking perl syntax, with `perl -c`

1. Trusting a project. Trust in this context would require you to audit the
code before testing the syntax. I doubt anyone will do this.
2. Executing the syntax checking on a remote machine, over SSH.

This approach uses podman to create a ephemeral container to syntax check Perl.