Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run xcache as user instead of root #84

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

holzman
Copy link

@holzman holzman commented Mar 11, 2022

Even in containers, it's best practice to execute code as a user rather than as root whenever possible. In addition,
some multi-tenant Kubernetes systems (Red Hat OpenShift / OKD) have a default security policy that executes
containers with an ephemeral UID with GID 0. This change (along with substituting go-crond for crond in the base
software image) should enable running as any user with GID 0.

Even in containers, it's best practice to execute code as a user rather than as root whenever possible.  In addition, some
multi-tenant Kubernetes systems (Red Hat OpenShift / OKD) have a default security policy that executes containers with an
ephemeral UID with GID 0.  This change (along with substituting go-crond for crond in the base software image) should
enable running as any user with GID 0.
@brianhlin brianhlin requested a review from matyasselmeci June 1, 2022 20:26
@matyasselmeci
Copy link
Contributor

Wouldn't this break multiuser? I will ask around if that's an issue.

Comment on lines +26 to +27
RUN groupadd -o -g 0 xrootd
RUN useradd -o -u 10940 -g 0 -s /bin/sh xrootd
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's this for? Does OKD not like groups?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By default, OKD runs containers with an ephemeral UID and GID 0.

Comment on lines +9 to +10
#FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache
FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-bh AS xcache
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache
FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-bh AS xcache
FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache

looks like a leftover from testing?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

never mind, just saw your line about go-crond.

@matyasselmeci
Copy link
Contributor

I don't want to get it working on OKD only to break it on vanilla Kubernetes. I created a new branch, rootless-test. Let's merge it there first and modify the GitHub Action to create some new image tags based on that branch (@brianhlin knows how to do that better than I do). If we're happy with how that works out, we can merge it to master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants