On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote:
Unless OpenShift and RKE recently changed so that containers can run as root by default (as of yesterday, they didn't), this is solidly a bad idea, since it makes it much more unintuitive to set up secure containers conforming with the guidelines for these Kubernetes platforms.
In my experience, containers trying to run stuff from shadow-utils in their entrypoint/startup scripts tend to be a reason for containers to *not* run on OpenShift/OKD without additional adjustments.
A related (and more common) issue are images that expect to run with a particular named user (or UID) determined during the build process (again, most likely created using shadow-utils).
I'm not familiar with Rancher but at least for OpenShift, I don't think the availability of shadow-utils is very useful. At run time, you can't use the shadow-utils at all and whatever you do with it during build time is unlikely to be helpful (and actively harmful more often than not) at run time when OpenShift assigns you an arbitrary UID.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure