add warning about root user in images #6414
Conversation
| @@ -498,7 +498,10 @@ func (c *AppConfig) inferBuildTypes(components app.ComponentReferences) (app.Com | |||
| case input.ResolvedMatch.Score != 0.0: | |||
| errs = append(errs, fmt.Errorf("component %q had only a partial match of %q - if this is the value you want to use, specify it explicitly", input.From, input.ResolvedMatch.Name)) | |||
| continue | |||
| case input.ResolvedMatch.Image != nil && (len(input.ResolvedMatch.Image.Config.User) == 0 || input.ResolvedMatch.Image.Config.User == "root"): | |||
There was a problem hiding this comment.
should we also check for the value "0" here too?
bparees
force-pushed
the
user_check
branch
4 times, most recently
from
62b5053
to
ac83a8a
Compare
|
@smarterclayton ptal. |
| @@ -498,6 +498,8 @@ func (c *AppConfig) inferBuildTypes(components app.ComponentReferences) (app.Com | |||
| case input.ResolvedMatch.Score != 0.0: | |||
| errs = append(errs, fmt.Errorf("component %q had only a partial match of %q - if this is the value you want to use, specify it explicitly", input.From, input.ResolvedMatch.Name)) | |||
| continue | |||
| case input.ResolvedMatch.Image != nil && (len(input.ResolvedMatch.Image.Config.User) == 0 || input.ResolvedMatch.Image.Config.User == "root" || input.ResolvedMatch.Image.Config.User == "0"): | |||
| glog.Warningf("Image %q runs as the 'root' user which may not be permitted by your OpenShift cluster configuration", input.ResolvedMatch.Name) | |||
There was a problem hiding this comment.
Can't say OpenShift, this could be in AEP. "may be restricted by your cluster administrator". I think we might want to mention SCCs somehow - hard to say for sure.
There was a problem hiding this comment.
Hrm - this shouldn't be here - this should be in the describe function.
There was a problem hiding this comment.
We stopped printing these errors here.
There was a problem hiding this comment.
we don't call describe when dumping yaml, so you don't want a warning if they are outputting to yaml/json?
|
@smarterclayton well i moved it to describe, but you're going to get a warning under the following condition: you specify a docker type build with an image that "runs as root" and your dockerfile for the build sets the USER to non-root meaning the image that actually gets deployed isn't going to be running as root. |
|
[test] |
|
@smarterclayton @csrwng ptal. |
| @@ -143,6 +143,9 @@ func describeBuildPipelineWithImage(out io.Writer, ref app.ComponentReference, p | |||
| fmt.Fprintf(out, " * This image declares volumes and will default to use non-persistent, host-local storage.\n") | |||
| fmt.Fprintf(out, " You can add persistent volumes later by running 'volume dc/%s --add ...'\n", pipeline.Deployment.Name) | |||
| } | |||
| if pipeline.Image.Info != nil && (len(pipeline.Image.Info.Config.User) == 0 || pipeline.Image.Info.Config.User == "root" || pipeline.Image.Info.Config.User == "0") { | |||
There was a problem hiding this comment.
do we want to give you a separate warning text for len(user) == 0 (technically it's not the same as specifying user root)... and given that we'll run you with an arbitrary user, maybe it's what's preferred?
Also if you do specify a specific user ... say 1001. Do we want to let you know that we won't run you with the user specified in your image?
There was a problem hiding this comment.
i'm going to remove the len==0 check, not sure why i put that in, as you say, it doesn't necessarily mean root.
and no, we don't want a warning for if they specified a specific(non-root) user. I would assume (almost?) every image specifies a specific user, either root or something else.
There was a problem hiding this comment.
check re-added per discussion.
|
LGTM |
|
[merge] |
|
Evaluated for origin test up to d44d1bb |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/8221/) |
|
[merge] |
3 similar comments
|
[merge] |
|
[merge] |
|
[merge] |
|
[merge] |
|
[merge] |
1 similar comment
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/8221/) (Image: devenv-rhel7_3101) |
|
[merge] |
|
Evaluated for origin merge up to d44d1bb |
addresses part of #6348