Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change gid of -rootless image to 1000 #4380

Closed
anderseknert opened this issue Feb 24, 2022 · 4 comments · Fixed by #4407
Closed

Change gid of -rootless image to 1000 #4380

anderseknert opened this issue Feb 24, 2022 · 4 comments · Fixed by #4407
Labels
bug

Comments

@anderseknert
Copy link
Member

anderseknert commented Feb 24, 2022
edited

Breaking this issue out from #4295 as it wasn't taken into consideration at the time. I don't think it'll be a nice experience to print a warning about running with root-like privileges when the user made an active choice to use the -rootlessimage, clearly expecting that to run without root privileges of any kind.

We currently don't set the group ID (gid) on the user for the -rootless image, which results in the default gid of 0 (i.e. root) to be used. While this does not entail root privileges, belonging to the root group means having (possibly write) access to files that would normally not be accessible.

This is done here:
https://github.com/open-policy-agent/opa/blob/main/Makefile#L348

I suggest we change the value to "1000:1000" in order to set the gid to a non-root value as well.
@srenatus
Copy link
Contributor

I think this is unlikely to break anyone. AFAIK, groups don't matter for anything but file access.... would that be correct?

@anderseknert
Copy link
Member Author

anderseknert commented Feb 24, 2022
edited

I think that's correct, and some resources seem to suggest so too.

I'm not entirely sure about the implications of having privileged access to files though, as so much of a Linux system is controlled via files, i.e. "everything is a file". Either way, it seems like the right thing to do.

@srenatus
Copy link
Contributor

OTOH if it's a userland thing -- and our docker images have no userland worth speaking of, I think -- then "it doesn't matter" kind of goes both ways: if it doesn't matter that gid=0, we might as well not warn about it in the first place.

Are there any published best practices re: k8s/docker and this? I mean, beyond "Unix 101"? Just because a lot has changed (namespaces for one thing)...

@anderseknert
Copy link
Member Author

While I do think you're right in it doesn't matter much in practice, I don't think skipping the warning is the way forward, but rather to fix this by changing the gid to be > 0, starting with the -rootless image from the next (or rather, the one after the next v0.38.0) release and forward, and the main image 3-6 releases later. Let's just do the right thing :)

anderseknert added a commit to anderseknert/opa that referenced this issue Mar 4, 2022
@anderseknert
Use gid=1000 in -rootless images
ca4f64a 
Fixes open-policy-agent#4380

Signed-off-by: Anders Eknert <anders@eknert.com>
@anderseknert anderseknert mentioned this issue Mar 4, 2022
Merged
anderseknert added a commit that referenced this issue Mar 4, 2022
@anderseknert
Use gid=1000 in -rootless images (#4407)
d2684b9 
Fixes #4380

Signed-off-by: Anders Eknert <anders@eknert.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use gid=1000 in -rootless images anderseknert/opa
2 participants
@anderseknert @srenatus