-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove ContainerUser from busybox #35
Conversation
Just use default, which is ContainerAdministrator Signed-off-by: Ben Moss <bmoss@pivotal.io>
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: benmoss If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
My understanding is that container users are only interesting if you have a "multi-user" container, where you setup some files as one user but then create another user that doesn't have permissions over them. I don't know the use-case for this, but I don't think there's any reason we need to do this in our test images. I saw that a bunch of the other images in this repo do the same thing, but this one is especially annoying since it ends up meaning that we need to grant |
/lgtm Just an fyi, there are tests which testing "multi-user" containers as you say, but we can't run them at the moment, because Kubernetes does that by specifying RunAsUid in the pod spec, which is not how Windows works. But in v1.15 we'll probably have RunAsUsername as an alternative, so those tests will become relevant then. But those tests use the mounttest image primarely anyways. |
But it's still a weird situation, and something doesn't feel right. You're basically saying that if a container is being run as non-root (non-Administrator in our case), they're not able to write in an emptyDir volume? IMO, that totally defeats the purpose of the emptyDir voume in the first place. That sounds like an issue to me, and we should also investigate it further. Can you replicate the same issue in a Linux Pod? Does the same thing happens there as well? |
On Linux the emptyDir directories are created with
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
securityContext:
runAsUser: 1004
containers:
- image: busybox:latest
name: test-container
command: ["/bin/sh"]
args: ["-c", "ls -alh /cache; touch /cache/test; ls -alh /cache; while true; do sleep 86400; done"]
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {} I created a user with I'm not sure if this means there's a bug in Windows/Kubernetes/Docker where it should be putting the same |
Thanks for trying it out. It seems that, if no Medium is specified, the emptyDir defaults to the scratch disk. It is interesting that on Linux the permissions are 777, but it sounds right. IMO, it is a bug, since this is an unexpected behaviour, but I'm not sure who causes this bug (Windows / Kubelet / Docker). Either way, this is something we'll have to look into for v1.15, especially for the RunAsUsername feature. @PatrickLang, what are your thoughts on this? |
Relevant to this: kubernetes/kubernetes@5394aa9 Another thing I noticed while testing this: the |
I just read https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/container-storage The default users are different on "server core" and and "nano server" images. Probably a known fact, but pointing it out in case anyone's wondering.
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Should we fix this issue or it is the expected spec? |
/remove-lifecycle rotten |
/reopen |
@jingxu97: Failed to re-open PR: state cannot be changed. The repository that submitted this pull request has been deleted. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Just use the default, which is ContainerAdministrator
@BCLAU