-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add warning about root user in images #6414
Conversation
@@ -498,7 +498,10 @@ func (c *AppConfig) inferBuildTypes(components app.ComponentReferences) (app.Com | |||
case input.ResolvedMatch.Score != 0.0: | |||
errs = append(errs, fmt.Errorf("component %q had only a partial match of %q - if this is the value you want to use, specify it explicitly", input.From, input.ResolvedMatch.Name)) | |||
continue | |||
case input.ResolvedMatch.Image != nil && (len(input.ResolvedMatch.Image.Config.User) == 0 || input.ResolvedMatch.Image.Config.User == "root"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we also check for the value "0" here too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good call.
62b5053
to
ac83a8a
Compare
@smarterclayton ptal. |
@@ -498,6 +498,8 @@ func (c *AppConfig) inferBuildTypes(components app.ComponentReferences) (app.Com | |||
case input.ResolvedMatch.Score != 0.0: | |||
errs = append(errs, fmt.Errorf("component %q had only a partial match of %q - if this is the value you want to use, specify it explicitly", input.From, input.ResolvedMatch.Name)) | |||
continue | |||
case input.ResolvedMatch.Image != nil && (len(input.ResolvedMatch.Image.Config.User) == 0 || input.ResolvedMatch.Image.Config.User == "root" || input.ResolvedMatch.Image.Config.User == "0"): | |||
glog.Warningf("Image %q runs as the 'root' user which may not be permitted by your OpenShift cluster configuration", input.ResolvedMatch.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't say OpenShift, this could be in AEP. "may be restricted by your cluster administrator". I think we might want to mention SCCs somehow - hard to say for sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hrm - this shouldn't be here - this should be in the describe function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We stopped printing these errors here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we don't call describe when dumping yaml, so you don't want a warning if they are outputting to yaml/json?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope.
@smarterclayton well i moved it to describe, but you're going to get a warning under the following condition: you specify a docker type build with an image that "runs as root" and your dockerfile for the build sets the USER to non-root meaning the image that actually gets deployed isn't going to be running as root. |
[test] |
@smarterclayton @csrwng ptal. |
@@ -143,6 +143,9 @@ func describeBuildPipelineWithImage(out io.Writer, ref app.ComponentReference, p | |||
fmt.Fprintf(out, " * This image declares volumes and will default to use non-persistent, host-local storage.\n") | |||
fmt.Fprintf(out, " You can add persistent volumes later by running 'volume dc/%s --add ...'\n", pipeline.Deployment.Name) | |||
} | |||
if pipeline.Image.Info != nil && (len(pipeline.Image.Info.Config.User) == 0 || pipeline.Image.Info.Config.User == "root" || pipeline.Image.Info.Config.User == "0") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we want to give you a separate warning text for len(user) == 0 (technically it's not the same as specifying user root)... and given that we'll run you with an arbitrary user, maybe it's what's preferred?
Also if you do specify a specific user ... say 1001. Do we want to let you know that we won't run you with the user specified in your image?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'm going to remove the len==0 check, not sure why i put that in, as you say, it doesn't necessarily mean root.
and no, we don't want a warning for if they specified a specific(non-root) user. I would assume (almost?) every image specifies a specific user, either root or something else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check re-added per discussion.
LGTM |
[merge] |
Evaluated for origin test up to d44d1bb |
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/8221/) |
[merge] |
3 similar comments
[merge] |
[merge] |
[merge] |
[merge] |
[merge] |
1 similar comment
[merge] |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/8221/) (Image: devenv-rhel7_3101) |
[merge] |
Evaluated for origin merge up to d44d1bb |
addresses part of #6348