You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As part of securing a container, one thing that a person may do is to run the container as a nonroot user (by default containers run as root). The CNAB spec doesn't really cover the idea of what user the container is running under.
When I tried out running a bundle that specified a different user, I ran into a bunch of file permission mismatches. For example, when credential files are injected into the container with cnab-go, they are owned by root, and aren't readable by the container.
I was wondering if this is something that tools should just informally figure out by inspecting the invocation image or if there's value to providing guidance around this (even non-normative) in the spec?
The text was updated successfully, but these errors were encountered:
As part of securing a container, one thing that a person may do is to run the container as a nonroot user (by default containers run as root). The CNAB spec doesn't really cover the idea of what user the container is running under.
When I tried out running a bundle that specified a different user, I ran into a bunch of file permission mismatches. For example, when credential files are injected into the container with cnab-go, they are owned by root, and aren't readable by the container.
I was wondering if this is something that tools should just informally figure out by inspecting the invocation image or if there's value to providing guidance around this (even non-normative) in the spec?
The text was updated successfully, but these errors were encountered: