rootless podman

[L00PN00B]

Dear Developer,

thank you for offering Suricata in a container to make life easier for everyone.
Since Suricata would be a major target, I would prefer to run it in a container without root (in this case via podman).

If I do this, I fail.
podman run --rm -it --net=host \ --cap-add=net_admin,net_raw,sys_nice \ -v $(pwd)/logs:/var/log/suricata \ -v $(pwd)/etc:/etc/suricata \ jasonish/suricata:latest -i wlp3s0
result is
Checking for capability sys_nice: yes Checking for capability net_admin: yes 23/5/2023 -- 05:00:27 - <Notice> - This is Suricata version 6.0.11 RELEASE running in SYSTEM mode 23/5/2023 -- 05:00:54 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't create a AF_PACKET socket, error Operation not permitted 23/5/2023 -- 05:00:54 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started. 23/5/2023 -- 05:00:54 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't create a AF_PACKET socket, error Operation not permitted 23/5/2023 -- 05:00:54 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error 23/5/2023 -- 05:00:54 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-wlp3s0 failed

The same command via sudo works fine.

Is their any way to run it rootless?

[jasonish]

I don't think rootless with Podman is possible. Suricata needs to get net_admin access to the host interface, which Podman can't provide without starting as root.

Provided Suricata sees that it has all the capabilities it needs, it will give up root access once running to the suricata user inside the container.