Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/evancarroll/container-perl
Run perl in a container with podman
https://github.com/evancarroll/container-perl
container perl perl5 podman secure
Last synced: 2 months ago
JSON representation
Run perl in a container with podman
- Host: GitHub
- URL: https://github.com/evancarroll/container-perl
- Owner: EvanCarroll
- Created: 2022-06-24T20:20:06.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-06-27T03:11:18.000Z (over 2 years ago)
- Last Synced: 2024-10-12T11:42:33.279Z (2 months ago)
- Topics: container, perl, perl5, podman, secure
- Language: Perl
- Homepage:
- Size: 8.79 KB
- Stars: 7
- Watchers: 3
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
`container_perl`
====This is a wrapper around perl to recreate the environment in `podman`. What it
does is,* Get the version of perl on the host, map it to an OCI image name.
* Get the current `@INC` on the host.
* Prepare a container that maps the host's `@INC` directories to the container
* Clobbers the `@INC` of the container perl with just the mapped dirs from the
host using [`libreplace`](https://metacpan.org/pod/libreplace).
* `exec`'s a copy of a Perl using Podman in a container as above.Security
---The goal of this program is to allow arbitrary code executation of perl within
the context of a secure user-namespace.Example
====```sh
container-perl -E 'say "Hello World"';
container-perl ./testfile.pl
```For the purpose of the demo, [`testfile.pl`](./testfile.pl) outputs the UID. This will change when
run inside and outside of `container-perl` because user namespaces allow
perl running in the namespace to think it's root. While invoking this file with
regular perl will show it as the UID of the user.Installation
====Container perl requires,
* [usernamespaces enabled](https://unix.stackexchange.com/a/602409/3285)
* `podman` installed
* Perl 5's [`libreplace`](https://github.com/EvanCarroll/perl5-libreplace) installedNotes
====Currently, all the deps directory outside the directory are mounted read-only.
The working directory is mounted read-write.Inspiration
----The source of inspiration of this was [Brian Scannell's talk in The Perl
Conference 2022 on IDE and checking Perl
syntax](https://tprc2022.sched.com/event/11nfS/the-perl-navigator-code-intelligence-for-any-editor).
In that talk Brian puts forward two methods of dealing with the insecurity of
checking perl syntax, with `perl -c`1. Trusting a project. Trust in this context would require you to audit the
code before testing the syntax. I doubt anyone will do this.
2. Executing the syntax checking on a remote machine, over SSH.This approach uses podman to create a ephemeral container to syntax check Perl.