Skip to content

Run containers as non-root #3352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
flokli merged 6 commits into from
Jun 15, 2023
Merged

Run containers as non-root #3352

flokli merged 6 commits into from
Jun 15, 2023

Conversation

@flokli
Copy link
Contributor

@flokli flokli commented Jun 14, 2023
edited by jschaul
Loading

Containers now run as non-root, to improve compatibility with default PodSecurityPolicies in more recent versions of Kubernetes.

This is part of WPB-1234

Checklist

  • Add a new entry in an appropriate subdirectory of changelog.d
  • Read and follow the PR guidelines

@flokli flokli requested review from akshaymankar and jschaul June 14, 2023 13:29
@CLAassistant
Copy link

CLAassistant commented Jun 14, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@zebot zebot added the ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist label Jun 14, 2023
@jschaul
Copy link
Member

jschaul commented Jun 14, 2023

@flokli nginz is failing to start:

Starting nginx
Setting up watches for /etc/wire/nginz/upstreams
nginx PID: 8
Setting up watches.
Watches established.
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2023/06/14 23:01:59 [warn] 9#9: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/wire/nginz/conf/nginx.conf:1
2023/06/14 23:01:59 [emerg] 9#9: open() "/var/run/nginz.pid" failed (13: Permission denied)
/nix/store/b6v3ffbwxi028wdhhrxdmg4ywfj6yngs-reload-script/bin/.nginz_reload.sh-wrapped: line 12: kill: (8) - No such process
Stream closed EOF for test-n1/nginz-6754597db-mcf5d (nginz)

@flokli
Copy link
Contributor Author

flokli commented Jun 15, 2023

Seems the user directive may not be specified at all if nginx is already running as that user.

@flokli flokli force-pushed the containers-nobody branch from b846c04 to 5503f86 Compare June 15, 2023 07:03
flokli added 2 commits June 15, 2023 10:11
@flokli
nginz: run as nobody
4fd37e0 
nginx does not want to see the `user` directive at all if it's already
running as the desired user, so drop it from the config, as well as the
corresponding helm chart values.

Also drop the custom fakeNss, instead run nginx as 'nobody' user
directly.
@flokli
nix/wire-server: run hoogle as nobody
870f408
@flokli flokli force-pushed the containers-nobody branch from 5503f86 to 870f408 Compare June 15, 2023 07:12
@flokli flokli merged commit afac90c into develop Jun 15, 2023
@flokli flokli deleted the containers-nobody branch June 15, 2023 14:11
@flokli flokli mentioned this pull request Jun 15, 2023
Merged
2 tasks
flokli added a commit that referenced this pull request Jun 15, 2023
@flokli
add missing changelog for nonroot containers
e0980a2 
This was missed to stage during #3352.
@jschaul jschaul mentioned this pull request Jun 15, 2023
Merged
2 tasks
@zebot zebot mentioned this pull request Aug 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jschaul jschaul jschaul approved these changes

@akshaymankar akshaymankar Awaiting requested review from akshaymankar

Assignees

No one assigned

Labels

ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@flokli @CLAassistant @jschaul @zebot