On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel <ls@xxxxxxxx> wrote: > > On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote: > >Unless OpenShift and RKE recently changed so that containers can run > >as root by default (as of yesterday, they didn't), this is solidly a > >bad idea, since it makes it much more unintuitive to set up secure > >containers conforming with the guidelines for these Kubernetes > >platforms. > > In my experience, containers trying to run stuff from shadow-utils in > their entrypoint/startup scripts tend to be a reason for containers to > *not* run on OpenShift/OKD without additional adjustments. > > A related (and more common) issue are images that expect to run with a > particular named user (or UID) determined during the build process > (again, most likely created using shadow-utils). > > I'm not familiar with Rancher but at least for OpenShift, I don't think > the availability of shadow-utils is very useful. At run time, you can't > use the shadow-utils at all and whatever you do with it during build > time is unlikely to be helpful (and actively harmful more often than > not) at run time when OpenShift assigns you an arbitrary UID. It's basically required for building containers that will work at runtime where OpenShift assigns an arbitrary UID. For example, in my containers, I *build* and create a "runtime user" with the UID 1000, and then set things up to use that context at the end. OpenShift uses that for its dynamic UID assignment. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure