On 4/3/21 02:34, Tomasz Torcz wrote:
Dnia Fri, Apr 02, 2021 at 05:30:30PM -0400, Neal Gompa napisał(a):
On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel <l...@slrz.net> wrote:
On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote:
Unless OpenShift and RKE recently changed so that containers can run
as root by default (as of yesterday, they didn't), this is solidly a
bad idea, since it makes it much more unintuitive to set up secure
containers conforming with the guidelines for these Kubernetes
platforms.
In my experience, containers trying to run stuff from shadow-utils in
their entrypoint/startup scripts tend to be a reason for containers to
*not* run on OpenShift/OKD without additional adjustments.
A related (and more common) issue are images that expect to run with a
particular named user (or UID) determined during the build process
(again, most likely created using shadow-utils).
I'm not familiar with Rancher but at least for OpenShift, I don't think
the availability of shadow-utils is very useful. At run time, you can't
use the shadow-utils at all and whatever you do with it during build
time is unlikely to be helpful (and actively harmful more often than
not) at run time when OpenShift assigns you an arbitrary UID.
It's basically required for building containers that will work at
runtime where OpenShift assigns an arbitrary UID.
For example, in my containers, I *build* and create a "runtime user"
with the UID 1000, and then set things up to use that context at the
end. OpenShift uses that for its dynamic UID assignment.
But you do not need shadow-utils for that. Even OpenShift
documentation shows simple echo is enough:
if ! whoami &> /dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default}
user:${HOME}:/sbin/nologin" >> /etc/passwd
fi
fi
https://docs.openshift.com/container-platform/3.10/creating_images/guidelines.html
(yeah, I know it's an old and obsolete version of docs)
What about all of the users of Docker and Podman who do?
```
from fedora
run useradd XYZ
user XYZ
...
```
Do you just break them out of the box?
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
