On 4/3/21 02:34, Tomasz Torcz wrote:
> Dnia Fri, Apr 02, 2021 at 05:30:30PM -0400, Neal Gompa napisał(a):
>> On Fri, Apr 2, 2021 at 5:18 PM Lars Seipel <ls@slrz.net> wrote:
>>> On Thu, Apr 01, 2021 at 02:36:48PM -0400, Neal Gompa wrote:
>>>> Unless OpenShift and RKE recently changed so that containers can run
>>>> as root by default (as of yesterday, they didn't), this is solidly a
>>>> bad idea, since it makes it much more unintuitive to set up secure
>>>> containers conforming with the guidelines for these Kubernetes
>>>> platforms.
>>> In my experience, containers trying to run stuff from shadow-utils in
>>> their entrypoint/startup scripts tend to be a reason for containers to
>>> *not* run on OpenShift/OKD without additional adjustments.
>>>
>>> A related (and more common) issue are images that expect to run with a
>>> particular named user (or UID) determined during the build process
>>> (again, most likely created using shadow-utils).
>>>
>>> I'm not familiar with Rancher but at least for OpenShift, I don't think
>>> the availability of shadow-utils is very useful. At run time, you can't
>>> use the shadow-utils at all and whatever you do with it during build
>>> time is unlikely to be helpful (and actively harmful more often than
>>> not) at run time when OpenShift assigns you an arbitrary UID.
>> It's basically required for building containers that will work at
>> runtime where OpenShift assigns an arbitrary UID.
>>
>> For example, in my containers, I *build* and create a "runtime user"
>> with the UID 1000, and then set things up to use that context at the
>> end. OpenShift uses that for its dynamic UID assignment.
> But you do not need shadow-utils for that. Even OpenShift
> documentation shows simple echo is enough:
>
> if ! whoami &> /dev/null; then
> if [ -w /etc/passwd ]; then
> echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
> fi
> fi
> https://docs.openshift.com/container-platform/3.10/creating_images/guidelines.html
> (yeah, I know it's an old and obsolete version of docs)
>
What about all of the users of Docker and Podman who do?
```
from fedora
run useradd XYZ
user XYZ
...
```
Do you just break them out of the box?
Yes and that's the point of the Change Proposal (ie make this more widely known and allow people to change their Dockerfile). This change would only be applied starting from the Fedora 35 base image, I don't think it is unreasonable to have breaking change between major version of the container base image.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure