Skip to content

Run xcache as user instead of root#84

Draft
holzman wants to merge 1 commit intoopensciencegrid:masterfrom
holzman:remove-root
Draft

Run xcache as user instead of root#84
holzman wants to merge 1 commit intoopensciencegrid:masterfrom
holzman:remove-root

Conversation

@holzman
Copy link

@holzman holzman commented Mar 11, 2022

Even in containers, it's best practice to execute code as a user rather than as root whenever possible. In addition,
some multi-tenant Kubernetes systems (Red Hat OpenShift / OKD) have a default security policy that executes
containers with an ephemeral UID with GID 0. This change (along with substituting go-crond for crond in the base
software image) should enable running as any user with GID 0.

@holzman
Run xcache as user instead of root
6692b7f 
Even in containers, it's best practice to execute code as a user rather than as root whenever possible.  In addition, some
multi-tenant Kubernetes systems (Red Hat OpenShift / OKD) have a default security policy that executes containers with an
ephemeral UID with GID 0.  This change (along with substituting go-crond for crond in the base software image) should
enable running as any user with GID 0.
@brianhlin brianhlin requested a review from matyasselmeci June 1, 2022 20:26
@matyasselmeci
Copy link
Contributor

matyasselmeci commented Jun 6, 2022

Wouldn't this break multiuser? I will ask around if that's an issue.

matyasselmeci
matyasselmeci reviewed Jun 6, 2022
View reviewed changes
Dockerfile
Comment on lines +26 to +27
RUN groupadd -o -g 0 xrootd
RUN useradd -o -u 10940 -g 0 -s /bin/sh xrootd
Copy link
Contributor

@matyasselmeci matyasselmeci Jun 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's this for? Does OKD not like groups?

Copy link
Author

@holzman holzman Jun 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By default, OKD runs containers with an ephemeral UID and GID 0.

matyasselmeci
matyasselmeci reviewed Jun 6, 2022
View reviewed changes
Dockerfile
Comment on lines +9 to +10
#FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache
FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-bh AS xcache
Copy link
Contributor

@matyasselmeci matyasselmeci Jun 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache
FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-bh AS xcache
FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache

looks like a leftover from testing?

Copy link
Contributor

@matyasselmeci matyasselmeci Jun 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

never mind, just saw your line about go-crond.

@matyasselmeci
Copy link
Contributor

matyasselmeci commented Jun 6, 2022

I don't want to get it working on OKD only to break it on vanilla Kubernetes. I created a new branch, rootless-test. Let's merge it there first and modify the GitHub Action to create some new image tags based on that branch (@brianhlin knows how to do that better than I do). If we're happy with how that works out, we can merge it to master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matyasselmeci matyasselmeci matyasselmeci left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@holzman @matyasselmeci