Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run xcache as user instead of root #84

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Run xcache as user instead of root #84

wants to merge 1 commit into from

Conversation

holzman
Copy link

@holzman holzman commented Mar 11, 2022

Even in containers, it's best practice to execute code as a user rather than as root whenever possible. In addition,
some multi-tenant Kubernetes systems (Red Hat OpenShift / OKD) have a default security policy that executes
containers with an ephemeral UID with GID 0. This change (along with substituting go-crond for crond in the base
software image) should enable running as any user with GID 0.

@holzman
Run xcache as user instead of root
6692b7f 
Even in containers, it's best practice to execute code as a user rather than as root whenever possible.  In addition, some
multi-tenant Kubernetes systems (Red Hat OpenShift / OKD) have a default security policy that executes containers with an
ephemeral UID with GID 0.  This change (along with substituting go-crond for crond in the base software image) should
enable running as any user with GID 0.
@matyasselmeci
Copy link
Contributor

Wouldn't this break multiuser? I will ask around if that's an issue.

matyasselmeci
matyasselmeci reviewed Jun 6, 2022
View reviewed changes
Dockerfile
Comment on lines +26 to +27
RUN groupadd -o -g 0 xrootd
RUN useradd -o -u 10940 -g 0 -s /bin/sh xrootd
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's this for? Does OKD not like groups?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By default, OKD runs containers with an ephemeral UID and GID 0.

matyasselmeci
matyasselmeci reviewed Jun 6, 2022
View reviewed changes
Dockerfile
Comment on lines +9 to +10
#FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache
FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-bh AS xcache
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache
FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-bh AS xcache
FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache

looks like a leftover from testing?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

never mind, just saw your line about go-crond.

@matyasselmeci
Copy link
Contributor

I don't want to get it working on OKD only to break it on vanilla Kubernetes. I created a new branch, rootless-test. Let's merge it there first and modify the GitHub Action to create some new image tags based on that branch (@brianhlin knows how to do that better than I do). If we're happy with how that works out, we can merge it to master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matyasselmeci matyasselmeci matyasselmeci left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@holzman @matyasselmeci