Dnia Fri, Apr 02, 2021 at 05:30:30PM -0400, Neal Gompa napisał(a):
> On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel <ls@xxxxxxxx> wrote:
> >
> > On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote:
> > >Unless OpenShift and RKE recently changed so that containers can run
> > >as root by default (as of yesterday, they didn't), this is solidly a
> > >bad idea, since it makes it much more unintuitive to set up secure
> > >containers conforming with the guidelines for these Kubernetes
> > >platforms.
> >
> > In my experience, containers trying to run stuff from shadow-utils in
> > their entrypoint/startup scripts tend to be a reason for containers to
> > *not* run on OpenShift/OKD without additional adjustments.
> >
> > A related (and more common) issue are images that expect to run with a
> > particular named user (or UID) determined during the build process
> > (again, most likely created using shadow-utils).
> >
> > I'm not familiar with Rancher but at least for OpenShift, I don't think
> > the availability of shadow-utils is very useful. At run time, you can't
> > use the shadow-utils at all and whatever you do with it during build
> > time is unlikely to be helpful (and actively harmful more often than
> > not) at run time when OpenShift assigns you an arbitrary UID.
>
> It's basically required for building containers that will work at
> runtime where OpenShift assigns an arbitrary UID.
>
> For example, in my containers, I *build* and create a "runtime user"
> with the UID 1000, and then set things up to use that context at the
> end. OpenShift uses that for its dynamic UID assignment.
But you do not need shadow-utils for that. Even OpenShift
documentation shows simple echo is enough:
if ! whoami &> /dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
fi
fi
https://docs.openshift.com/container-platform/3.10/creating_images/guidelines.html
(yeah, I know it's an old and obsolete version of docs)
--
Tomasz Torcz RIP is irrevelant. Spoofing is futile.
tomek@xxxxxxxxxxxxxx Your routes will be aggreggated. -- Alex Yuriev
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
