Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added the user and set the necessary permissions #2167

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

added the user and set the necessary permissions #2167

wants to merge 7 commits into from

Conversation

rock-007
Copy link

Fixes #517

Background

The DB components fail to start when trying to start as non root user.

Change Summary

I have added group and user as postgres and set the permissions as raised by "mathieu-benoit" in the ticket ref:517

Testing Procedure

Related PRs or Issues

#517

@rock-007 rock-007 requested review from yoshi-approver and a team as code owners July 25, 2024 09:10
@google-cla Google CLA
Copy link

google-cla bot commented Jul 25, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@rock-007 rock-007 force-pushed the bug/fixing-root-privilage-issue branch from 6a188ac to c45df33 Compare July 25, 2024 09:21
@bourgeoisor
Copy link
Member

/gcbrun

@bourgeoisor
Copy link
Member

Hi @rock-007, have you tested this locally? The Docker image doesn't build.

docker build failure: The command '/bin/sh -c addgroup -S postgres && adduser -S postgres -G postgres' returned a non-zero code

@rock-007
Copy link
Author

Hi @rock-007, have you tested this locally? The Docker image doesn't build.

docker build failure: The command '/bin/sh -c addgroup -S postgres && adduser -S postgres -G postgres' returned a non-zero code

Hi @bourgeoisor
I had the impression that user and group doesn't exist for Postgres, but they are so I have amended the logic accordingly and pushed another commit.
It is now building fine locally, and I don't see anything obvious while running the Docker image.

bourgeoisor
bourgeoisor reviewed Jul 26, 2024
View reviewed changes
src/ledger/ledger-db/Dockerfile Outdated
Comment on lines 20 to 21
RUN if ! getent group postgres > /dev/null; then addgroup -S postgres; fi && \
if ! getent passwd postgres > /dev/null; then adduser -S postgres -G postgres; fi
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Container images should have deterministic build steps. Either these groups / bindings exist, or they don't. We should need conditional checks.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed the conditional check.

@bourgeoisor
Copy link
Member

/gcbrun

@bourgeoisor
Copy link
Member

This PR would need changes to the k8s YAML too, e.g. https://github.com/GoogleCloudPlatform/bank-of-anthos/pull/855/files

@rock-007
Copy link
Author

/gcbrun

@rock-007
Copy link
Author

This PR would need changes to the k8s YAML too, e.g. https://github.com/GoogleCloudPlatform/bank-of-anthos/pull/855/files

Done.

bourgeoisor
bourgeoisor reviewed Jul 28, 2024
View reviewed changes
kubernetes-manifests/ledger-db.yaml Outdated
@@ -103,6 +103,11 @@ spec:
- mountPath: /var/lib/postgresql/data
name: postgresdb
subPath: postgres
securityContext:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a start but it's also missing security contexts to prevent all access to root:

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - all
          privileged: false
          readOnlyRootFilesystem: true

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added these now to the ledger-db.yaml file.

@bourgeoisor
Copy link
Member

/gcbrun

@bourgeoisor
Copy link
Member

/gcbrun

bourgeoisor
bourgeoisor reviewed Jul 29, 2024
View reviewed changes
src/ledger/ledger-db/Dockerfile
Comment on lines +19 to +23
# Change ownership of the necessary directories
RUN chown -R postgres:postgres /var/lib/postgresql /var/run/postgresql

# Set thte correct permissions
RUN chmod -R 0700 /var/lib/postgresql/data && chmod -R 0755 /var/run/postgresql
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mathieu-benoit do you think that's all that was needed? Seems too good to be true but maybe I'm overthinking it

@henrybell henrybell mentioned this pull request Aug 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bourgeoisor bourgeoisor bourgeoisor left review comments

@STARLING077 STARLING077 STARLING077 approved these changes

@yoshi-approver yoshi-approver Awaiting requested review from yoshi-approver yoshi-approver is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Components should not require root to run
3 participants
@rock-007 @bourgeoisor @STARLING077