Re: F35 Change proposal: Smaller Container Base Image (remove sssd-client, util-linux, shadow-utils) (Self-Contained Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/3/21 02:34, Tomasz Torcz wrote:
Dnia Fri, Apr 02, 2021 at 05:30:30PM -0400, Neal Gompa napisał(a):
On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel <ls@xxxxxxxx> wrote:
On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote:
Unless OpenShift and RKE recently changed so that containers can run
as root by default (as of yesterday, they didn't), this is solidly a
bad idea, since it makes it much more unintuitive to set up secure
containers conforming with the guidelines for these Kubernetes
platforms.
In my experience, containers trying to run stuff from shadow-utils in
their entrypoint/startup scripts tend to be a reason for containers to
*not* run on OpenShift/OKD without additional adjustments.

A related (and more common) issue are images that expect to run with a
particular named user (or UID) determined during the build process
(again, most likely created using shadow-utils).

I'm not familiar with Rancher but at least for OpenShift, I don't think
the availability of shadow-utils is very useful. At run time, you can't
use the shadow-utils at all and whatever you do with it during build
time is unlikely to be helpful (and actively harmful more often than
not) at run time when OpenShift assigns you an arbitrary UID.
It's basically required for building containers that will work at
runtime where OpenShift assigns an arbitrary UID.

For example, in my containers, I *build* and create a "runtime user"
with the UID 1000, and then set things up to use that context at the
end. OpenShift uses that for its dynamic UID assignment.
   But you do not need shadow-utils for that. Even OpenShift
documentation shows simple echo is enough:

if ! whoami &> /dev/null; then
   if [ -w /etc/passwd ]; then
       echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
   fi
fi
https://docs.openshift.com/container-platform/3.10/creating_images/guidelines.html
(yeah, I know it's an old and obsolete version of docs)

What about all of the users of Docker and Podman who do?


```

from fedora

run useradd XYZ

user XYZ

...

```

Do you just break them out of the box?
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux