No rootles image despite the note in the release 0.58

[sabinahofmann]

Short description

Based on this note v.58.0, it is expected that all images from 0.58 will run rootless. Reference is also made to the release in the corresponding variants v0.58.0-envoy.

According to the release note, I should not get an warning if I run an rootless image, because it's enought if the uid is not 0.

Examples:

• OPA Envoy Plugin 0.58.0
  ** Image Layer: https://hub.docker.com/layers/openpolicyagent/opa/0.58.0-envoy/images/sha256-f53e69eeee948b1d725877751720864221f6353e515211d54455f08b5abad671?context=explore
• OPA Envoy Plugin 0.58.0 rootless
  ** Image Layser: https://hub.docker.com/layers/openpolicyagent/opa/0.58.0-envoy-rootless/images/sha256-06418ed931f8f125e0ff8c235c88a2a3bdaad61002ecfe598ff3554f4dc7fe19?context=explore

Steps To Reproduce

• Have a look at the Image Layers of OPA Envoy Plugin 0.58.0 rootless & OPA Envoy Plugin 0.58.0
• Run the image 0.58.0-envoy-rootless and take a look into the logs. You will get a warning "OPA running with uid or gid 0. Running OPA with root privileges is not recommended."(see below

  opa/runtime/check_user_unix.go

  Line 22 in 30a244e

  logger.Warn("OPA running with uid or gid 0. Running OPA with root privileges is not recommended.")

  )

Expected behavior

Based on the note, I expect all variants images of OPA to run rootless. Both the UID and the GID and not onlay UID should be not 0 according to the text in release notes. Also the warning should be more should be more accurate. It's enough to set only UID not to 0.

[anderseknert]

Hi @sabinahofmann 👋 And thanks for reporting this. I'm unable to reproduce it here, I think. Trying to run both of the versions I'm only seeing the UID warning when using the non-rootless version. Starting from the next version, this will be the default behavior. Am I missing something obvious? 😃

docker run openpolicyagent/opa:0.58.0-envoy-rootless run --server

'WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
{"addrs":[":8181"],"diagnostic-addrs":[],"level":"info","msg":"Initializing server. OPA is running on a public (0.0.0.0) network interface. Unless you intend to expose OPA outside of the host, binding to the localhost interface (--addr localhost:8181) is recommended. See https://www.openpolicyagent.org/docs/latest/security/#interface-binding","time":"2023-11-08T13:09:07Z"}

docker run openpolicyagent/opa:0.58.0-envoy run --server

WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
{"addrs":[":8181"],"diagnostic-addrs":[],"level":"info","msg":"Initializing server. OPA is running on a public (0.0.0.0) network interface. Unless you intend to expose OPA outside of the host, binding to the localhost interface (--addr localhost:8181) is recommended. See https://www.openpolicyagent.org/docs/latest/security/#interface-binding","time":"2023-11-08T13:09:36Z"}
{"level":"warning","msg":"OPA running with uid or gid 0. Running OPA with root privileges is not recommended.","time":"2023-11-08T13:09:36Z"}

[ashutosh-narkar]

Just to clarify, we plan to stop publishing the rootless variant for the OPA images. The OPA-Envoy plugin still has the rootless variant for now and we will deprecate that as well.

[sabinahofmann]

Thank for your fast replay and also the information about the next steps. Which kind of Image are you using? If I run with podman (rootles state) I get the warning:

$ podman run openpolicyagent/opa:0.58.0-envoy-rootless run --server
{"addrs":[":8181"],"diagnostic-addrs":[],"level":"info","msg":"Initializing server. OPA is running on a public (0.0.0.0) network interface. Unless you intend to expose OPA outside of the host, binding to the localhost interface (--addr localhost:8181) is recommended. See https://www.openpolicyagent.org/docs/latest/security/#interface-binding","time":"2023-11-09T14:28:33Z"}
{"level":"warning","msg":"OPA running with uid or gid 0. Running OPA with root privileges is not recommended.","time":"2023-11-09T14:28:33Z"}

For me works only if a hand over explicit the uid and gid into the run command. According to the image layer of the Image, only the Uid is set. Which is also sufficient for a rootles container. However, the warning is misleading.

Further Information:

• Image Digest: "sha256:06418ed931f8f125e0ff8c235c88a2a3bdaad61002ecfe598ff3554f4dc7fe19"
• Client: Podman Engine
  Version: 4.4.1
  API Version: 4.4.1
  Go Version: go1.19.6
  Built: Tue Mar 21 16:45:49 2023
  OS/Arch: linux/amd64

[anderseknert]

Yeah, looks like the makefile only sets the UID and not the GID.

That differs from the OPA one, where we set both. We should have that corrected, I think. Would you want to submit a fix for that?

[sabinahofmann]

Yeah, I will do it.

[sabinahofmann]

Could somebody please review the PR. Thank you!

[ashutosh-narkar]

Merged. Thanks @sabinahofmann!

[leefernandes]

@ashutosh-narkar Will the envoy static images use user 1000? They are still USER 0

https://hub.docker.com/layers/openpolicyagent/opa/0.59.0-envoy-static/images/sha256-b9eb4c50bfbcc38626318a1485f6a13867c1dd034b3cdc6b897f4f4012e02e66?context=explore

[ashutosh-narkar]

Not atm but we can look into that for a future release.