Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mount volumes for tmp directories, apply best practice to sc #38

Merged
merged 8 commits into from
Nov 29, 2023
Merged

mount volumes for tmp directories, apply best practice to sc #38

merged 8 commits into from
Nov 29, 2023

Conversation

machisuji
Copy link
Member

@machisuji machisuji commented Nov 16, 2023
edited

  • currently trying to ways of creating tmp volumes for /app/tmp and /tmp respectively to allow for read-only root file systems
    ** emptyDir
    ** epheremal volume

At least on minikube both have problems with wrong permissions (world write access without sticky bit) which makes it unusable because Ruby will complain with the following.

irb(main):001:0> Dir.tmpdir
system temporary path is world-writable: /tmp
/tmp is world-writable: /tmp
=> "/app"

Where /app is of course not writable and shouldn't be used to begin with.

I'm looking into the issue and will try to reproduce it on my OpenShift cluster.
If it's an issue specific to minikube we may not have a problem.

Edit: it works fine on mz OpenShift cluster. So it might really just be a minikube bug.
Will try this on another cluster to confirm, though.

@machisuji machisuji marked this pull request as ready for review November 16, 2023 16:45
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Nov 29, 2023
edited

🦋 Changeset detected

Latest commit: 5b59709

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@machisuji machisuji force-pushed the maintenance/security-context-and-tmp-directories branch from 893eac0 to 25bcde7 Compare November 29, 2023 12:35
@machisuji machisuji force-pushed the maintenance/security-context-and-tmp-directories branch from 25bcde7 to 5dd885a Compare November 29, 2023 12:36
oliverguenther
oliverguenther approved these changes Nov 29, 2023
View reviewed changes
Copy link
Member

@oliverguenther oliverguenther left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for the extra debugging functionality

@oliverguenther oliverguenther merged commit 7fc8ea3 into main Nov 29, 2023
1 check passed
@oliverguenther oliverguenther deleted the maintenance/security-context-and-tmp-directories branch November 29, 2023 15:54
oliverguenther added a commit that referenced this pull request Nov 29, 2023
@machisuji @oliverguenther
mount volumes for tmp directories, apply best practice to sc (#38)
0a1c9a9 
* mount volumes for tmp directories, apply best practice to sc

* bump version

* use safe sc for bundled apps (postgres, memcached) too

* use read-only filesystem with mounted tmp volumes unless in development mode

* revert version bump to let this be handled by changeset flow

* amend dev readme

* Create bright-students-eat.md

---------

Co-authored-by: Oliver Günther <mail@oliverguenther.de>
@davidleechen davidleechen mentioned this pull request Feb 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oliverguenther oliverguenther oliverguenther approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@machisuji @oliverguenther