On Tue, 6 Apr 2021 at 12:58, Peter Robinson <pbrobin...@gmail.com> wrote:
> On Tue, Apr 6, 2021 at 11:36 AM Neal Gompa <ngomp...@gmail.com> wrote:
> >
> > On Tue, Apr 6, 2021 at 3:23 AM Clement Verna <cve...@fedoraproject.org>
> wrote:
> > >
> > >
> > >
> > > On Mon, 5 Apr 2021 at 20:30, Daniel Walsh <dwa...@redhat.com> wrote:
> > >>
> > >> On 4/3/21 02:34, Tomasz Torcz wrote:
> > >> > Dnia Fri, Apr 02, 2021 at 05:30:30PM -0400, Neal Gompa napisał(a):
> > >> >> On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel <l...@slrz.net> wrote:
> > >> >>> On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote:
> > >> >>>> Unless OpenShift and RKE recently changed so that containers can
> run
> > >> >>>> as root by default (as of yesterday, they didn't), this is
> solidly a
> > >> >>>> bad idea, since it makes it much more unintuitive to set up
> secure
> > >> >>>> containers conforming with the guidelines for these Kubernetes
> > >> >>>> platforms.
> > >> >>> In my experience, containers trying to run stuff from
> shadow-utils in
> > >> >>> their entrypoint/startup scripts tend to be a reason for
> containers to
> > >> >>> *not* run on OpenShift/OKD without additional adjustments.
> > >> >>>
> > >> >>> A related (and more common) issue are images that expect to run
> with a
> > >> >>> particular named user (or UID) determined during the build process
> > >> >>> (again, most likely created using shadow-utils).
> > >> >>>
> > >> >>> I'm not familiar with Rancher but at least for OpenShift, I don't
> think
> > >> >>> the availability of shadow-utils is very useful. At run time, you
> can't
> > >> >>> use the shadow-utils at all and whatever you do with it during
> build
> > >> >>> time is unlikely to be helpful (and actively harmful more often
> than
> > >> >>> not) at run time when OpenShift assigns you an arbitrary UID.
> > >> >> It's basically required for building containers that will work at
> > >> >> runtime where OpenShift assigns an arbitrary UID.
> > >> >>
> > >> >> For example, in my containers, I *build* and create a "runtime
> user"
> > >> >> with the UID 1000, and then set things up to use that context at
> the
> > >> >> end. OpenShift uses that for its dynamic UID assignment.
> > >> > But you do not need shadow-utils for that. Even OpenShift
> > >> > documentation shows simple echo is enough:
> > >> >
> > >> > if ! whoami &> /dev/null; then
> > >> > if [ -w /etc/passwd ]; then
> > >> > echo "${USER_NAME:-default}:x:$(id
> -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
> > >> > fi
> > >> > fi
> > >> >
> https://docs.openshift.com/container-platform/3.10/creating_images/guidelines.html
> > >> > (yeah, I know it's an old and obsolete version of docs)
> > >> >
> > >> What about all of the users of Docker and Podman who do?
> > >>
> > >>
> > >>
> > >> ```
> > >>
> > >> from fedora
> > >>
> > >> run useradd XYZ
> > >>
> > >> user XYZ
> > >>
> > >> ...
> > >>
> > >> ```
> > >>
> > >> Do you just break them out of the box?
> > >
> > >
> > > Yes and that's the point of the Change Proposal (ie make this more
> widely known and allow people to change their Dockerfile). This change
> would only be applied starting from the Fedora 35 base image, I don't think
> it is unreasonable to have breaking change between major version of the
> container base image.
> > >
> >
> > I think it would be unreasonable to break such a commonly established
> > pattern, though. That's enough of a reason for people to stop using
> > the Fedora base container.
>
> We do have the Base container and a Base Minimal, so maybe do it in
> the later and not the former?
>
Yes that's a good suggestion :-), I can probably make another Change for
that tho.
Based on the feedback received, I will update the change proposal to
exclude shadow-utils from the packages proposed to be removed. That way we
should be able to move on and at least remove sssd-client and util-linux ;-)
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
