Do not use non-numeric UID in Dockerfile #484
Comments
|
This is to fix rh-messaging/shipshape#75 |
jiridanek
added a commit
to jiridanek/cli-java
that referenced
this issue
Oct 28, 2022
It appears that not setting USER at all will take care of this.
|
Actually, correct fix is as in https://github.com/skupperproject/skupper-router/pull/827/files This follows the least-privilege in any Kubernetes, not just OpenShift. The idea with 10000 is not to clash with any user defined on the host system, https://kubesec.io/basics/containers-securitycontext-runasuser/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://docs.openshift.com/container-platform/4.6/openshift_images/create-images.html says
Support arbitrary user ids
By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions.
Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:
RUN chgrp -R 0 /some/directory &&
chmod -R g=u /some/directory
Because the container user is always a member of the root group, the container user can read and write these files.
The text was updated successfully, but these errors were encountered: