New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change gid of -rootless image to 1000 #4380
Comments
I think this is unlikely to break anyone. AFAIK, groups don't matter for anything but file access.... would that be correct? |
I think that's correct, and some resources seem to suggest so too. I'm not entirely sure about the implications of having privileged access to files though, as so much of a Linux system is controlled via files, i.e. "everything is a file". Either way, it seems like the right thing to do. |
OTOH if it's a userland thing -- and our docker images have no userland worth speaking of, I think -- then "it doesn't matter" kind of goes both ways: if it doesn't matter that gid=0, we might as well not warn about it in the first place. Are there any published best practices re: k8s/docker and this? I mean, beyond "Unix 101"? Just because a lot has changed (namespaces for one thing)... |
While I do think you're right in it doesn't matter much in practice, I don't think skipping the warning is the way forward, but rather to fix this by changing the gid to be > 0, starting with the |
Fixes open-policy-agent#4380 Signed-off-by: Anders Eknert <anders@eknert.com>
Fixes #4380 Signed-off-by: Anders Eknert <anders@eknert.com>
Breaking this issue out from #4295 as it wasn't taken into consideration at the time. I don't think it'll be a nice experience to print a warning about running with root-like privileges when the user made an active choice to use the
-rootless
image, clearly expecting that to run without root privileges of any kind.We currently don't set the group ID (gid) on the user for the
-rootless
image, which results in the default gid of 0 (i.e. root) to be used. While this does not entail root privileges, belonging to the root group means having (possibly write) access to files that would normally not be accessible.This is done here:
https://github.com/open-policy-agent/opa/blob/main/Makefile#L348
I suggest we change the value to "1000:1000" in order to set the
gid
to a non-root value as well.The text was updated successfully, but these errors were encountered: