Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not run things in containers as root #86

Closed
gibizer opened this issue Oct 5, 2022 · 2 comments · Fixed by #795
Closed

Do not run things in containers as root #86

gibizer opened this issue Oct 5, 2022 · 2 comments · Fixed by #795
Assignees
@mrkisaolamb

Comments

@gibizer
Copy link
Contributor

gibizer commented Oct 5, 2022
edited
Loading

nova-operator/pkg/novaapi/dbsync.go

Line 53 in 6e5ff21

runAsUser := int64(0)

we should not be runnign as root

https://sdk.operatorframework.io/docs/best-practices/best-practices/#summary-1

"Does not run as root"

we should be using the nova user here.

the nova user and group is 42436

https://github.com/openstack/kolla/blob/master/kolla/common/users.py#L148-L151

https://github.com/openstack/tripleo-common/blob/0a4ca78500a30e80a1746ac65188350d597a32bc/container-images/kolla/base/uid_gid_manage.sh#L62

Originally posted by @SeanMooney in #84 (comment)

also in

nova-operator/templates/novaapi/config/nova-api-config.json

Line 25 in 6e5ff21

"owner": "root",

Originally posted by @SeanMooney in #84 (comment)

also in

nova-operator/pkg/novaapi/deployment.go

Line 37 in 6e5ff21

runAsUser := int64(0)

Originally posted by @SeanMooney in #84 (comment)
@gibizer gibizer mentioned this issue Oct 5, 2022
Merged
@gibizer gibizer changed the title Do not run dbsync asa root Do not things in containers as root Oct 5, 2022
@gibizer gibizer changed the title Do not things in containers as root Do not run things in containers as root Oct 7, 2022
@mrkisaolamb mrkisaolamb linked a pull request Jun 20, 2024 that will close this issue
Switch root to apache user for ssl.conf #795
Merged
@mrkisaolamb
Copy link
Contributor

Currently we are using RunAsUser: ptr.To(nova.NovaUserID) and also only file that we mount with root are ssl.conf so maybe we can mount with apache user and we can close this

@gibizer
Copy link
Contributor Author

gibizer commented Jun 20, 2024

It seems we did the majority of the work in #598. #795 is nice to have. We can merge it if CI is green. I agree we can close this ticket.
As a side note, we still cannot be fully rootless due to kolla uses sudo.

@mrkisaolamb mrkisaolamb self-assigned this Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrkisaolamb mrkisaolamb

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Switch root to apache user for ssl.conf mrkisaolamb/nova-operator
2 participants
@gibizer @mrkisaolamb