Skip to content

Set user and group in security context #1083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 15, 2020
Merged

Set user and group in security context #1083

merged 3 commits into from
Sep 15, 2020

Conversation

ricoberger
Copy link
Contributor

Since version 1.6-p3 of the Spilo image it is possible to run the processes inside the container without root privileges. This PR introduces two new options, so a user can run the container without root and without the need to build a custom image.

The two new options for the security context, can be set via ConfigMap or the CR:

  • spiloRunAsUser / spilo_runasuser: Set the user ID in the security context
  • spiloRunAsGroup / spilo_runasGroup: Set the group ID in the security context

This PR addresses #1052.

@ricoberger
Copy link
Contributor Author

Hi, is there any chance to get this merged or will there be another way to run the container without root privileges, besides building a custom image?

@joschi36 joschi36 mentioned this pull request Sep 10, 2020
Closed
Jan-M
Jan-M reviewed Sep 10, 2020
View reviewed changes
pkg/cluster/k8sres.go
initContainers,
sidecarContainers,
&tolerationSpec,
effectiveRunAsUser,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My only concern is here, this seems to set runAsUser and runAsGroup to the new 101/103 combination by default.

I will have to understand what this was/is before.

Jan-M
Jan-M reviewed Sep 10, 2020
View reviewed changes
pkg/cluster/k8sres_test.go
var err error
var spec acidv1.PostgresSpec
var cluster *Cluster
var spiloRunAsUser = int64(101)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As above, while for users with the spec.fsGroup set this may be or have been the default for everyone not using fsGroup spec this seems to change the default from former root(0) to 101 uid.

@ricoberger
Copy link
Contributor Author

Hi @Jan-M, thanks for the review. I think the default will still be, that the container runs as root, but maybe I missed something in my tests. I used the ./run_operator_locally.sh --rebuild-operator command and the following test cases, to test the changes.

Test 1: Apply the default minimal-postgres-manifest.yaml manifest, which is the same for the master branch and my branch:

Manifest 
apiVersion: "acid.zalan.do/v1"
kind: postgresql
metadata:
  name: acid-minimal-cluster
  namespace: default
spec:
  teamId: "acid"
  volume:
    size: 1Gi
  numberOfInstances: 1
  users:
    zalando:  # database owner
    - superuser
    - createdb
    foo_user: []  # role for application foo
  databases:
    foo: zalando  # dbname: owner
  preparedDatabases:
    bar: {}
  postgresql:
    version: "12"
Postgres Container 
root@acid-minimal-cluster-0:/home/postgres# id
uid=0(root) gid=0(root) groups=0(root)

root@acid-minimal-cluster-0:/home/postgres# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 19:12 ?        00:00:00 /usr/bin/dumb-init -c --rewrite 1:0 -- /bin/sh /launch.sh
root         6     1  0 19:12 ?        00:00:00 /bin/sh /launch.sh
root        29     6  0 19:12 ?        00:00:00 /usr/bin/runsvdir -P /etc/service
root        30    29  0 19:12 ?        00:00:00 runsv pgqd
root        31    29  0 19:12 ?        00:00:00 runsv patroni
postgres    32    30  0 19:12 ?        00:00:00 /usr/bin/pgqd /home/postgres/pgq_ticker.ini
postgres    33    31  0 19:12 ?        00:00:00 /usr/bin/python3 /usr/local/bin/patroni /home/postgres/postgres.yml
postgres    77     1  0 19:12 ?        00:00:00 /usr/lib/postgresql/12/bin/postgres -D /home/postgres/pgdata/pgroot/data --config-file=/home/postgres/pgdata/pgroot/data/postgresql.conf --listen_addresses=* --port=5432 --cluster_name=acid-minima
postgres    79    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: logger
postgres    81    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: bg_mon
postgres    85    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: checkpointer
postgres    86    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: background writer
postgres    87    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: walwriter
postgres    88    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: autovacuum launcher
postgres    89    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: archiver
postgres    90    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: stats collector
postgres    91    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: pg_cron scheduler
postgres    93    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: TimescaleDB Background Worker Launcher
postgres    94    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: logical replication launcher
postgres    97    77  0 19:12 ?        00:00:00 postgres: acid-minimal-cluster: postgres postgres [local] idle
root       215     0  0 19:13 pts/0    00:00:00 bash
root       268   215  0 19:15 pts/0    00:00:00 ps -ef

Test 2: Apply the minimal-postgres-manifest.yaml manifest and add spiloFSGroup: 103:

Manifest 
apiVersion: "acid.zalan.do/v1"
kind: postgresql
metadata:
  name: acid-minimal-cluster
  namespace: default
spec:
  teamId: "acid"
  volume:
    size: 1Gi
  numberOfInstances: 1
  spiloFSGroup: 103
  users:
    zalando:  # database owner
    - superuser
    - createdb
    foo_user: []  # role for application foo
  databases:
    foo: zalando  # dbname: owner
  preparedDatabases:
    bar: {}
  postgresql:
    version: "12"
Postgres Container 
root@acid-minimal-cluster-0:/home/postgres# id
uid=0(root) gid=0(root) groups=0(root),103(postgres)

root@acid-minimal-cluster-0:/home/postgres# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 19:27 ?        00:00:00 /usr/bin/dumb-init -c --rewrite 1:0 -- /bin/sh /launch.sh
root         6     1  0 19:27 ?        00:00:00 /bin/sh /launch.sh
root        29     6  0 19:27 ?        00:00:00 /usr/bin/runsvdir -P /etc/service
root        30    29  0 19:27 ?        00:00:00 runsv patroni
root        31    29  0 19:27 ?        00:00:00 runsv pgqd
postgres    32    30  1 19:27 ?        00:00:00 /usr/bin/python3 /usr/local/bin/patroni /home/postgres/postgres.yml
postgres    33    31  0 19:27 ?        00:00:00 /bin/bash /scripts/patroni_wait.sh --role master -- /usr/bin/pgqd /home/postgres/pgq_ticker.ini
postgres    45    33  0 19:27 ?        00:00:00 sleep 60
postgres    77     1  0 19:27 ?        00:00:00 /usr/lib/postgresql/12/bin/postgres -D /home/postgres/pgdata/pgroot/data --config-file=/home/postgres/pgdata/pgroot/data/postgresql.conf --listen_addresses=* --port=5432 --cluster_name=acid-minima
postgres    79    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: logger
postgres    81    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: bg_mon
postgres    85    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: checkpointer
postgres    86    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: background writer
postgres    87    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: walwriter
postgres    88    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: autovacuum launcher
postgres    89    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: archiver
postgres    90    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: stats collector
postgres    91    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: pg_cron scheduler
postgres    92    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: TimescaleDB Background Worker Launcher
postgres    93    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: logical replication launcher
postgres    97    77  0 19:27 ?        00:00:00 postgres: acid-minimal-cluster: postgres postgres [local] idle
root       188     0  0 19:27 pts/0    00:00:00 bash
root       242   188  0 19:28 pts/0    00:00:00 ps -ef

Test 3: Apply the minimal-postgres-manifest.yaml manifest and add spiloRunAsUser: 101, spiloRunAsGroup: 103 and spiloFSGroup: 103:

Manifest 
apiVersion: "acid.zalan.do/v1"
kind: postgresql
metadata:
  name: acid-minimal-cluster
  namespace: default
spec:
  teamId: "acid"
  volume:
    size: 1Gi
  numberOfInstances: 1
  spiloRunAsUser: 101
  spiloRunAsGroup: 103
  spiloFSGroup: 103
  users:
    zalando:  # database owner
    - superuser
    - createdb
    foo_user: []  # role for application foo
  databases:
    foo: zalando  # dbname: owner
  preparedDatabases:
    bar: {}
  postgresql:
    version: "12"
Postgres Container 
postgres@acid-minimal-cluster-0:~$ id
uid=101(postgres) gid=103(postgres) groups=103(postgres)
postgres@acid-minimal-cluster-0:~$ ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
postgres     1     0  0 19:34 ?        00:00:00 /usr/bin/dumb-init -c --rewrite 1:0 -- /bin/sh /launch.sh
postgres     6     1  0 19:34 ?        00:00:00 /bin/sh /launch.sh
postgres    33     6  0 19:34 ?        00:00:00 /usr/bin/runsvdir -P /etc/service
postgres    34    33  0 19:34 ?        00:00:00 runsv patroni
postgres    35    33  0 19:34 ?        00:00:00 runsv pgqd
postgres    36    35  0 19:34 ?        00:00:00 /usr/bin/pgqd /home/postgres/pgq_ticker.ini
postgres    37    34  0 19:34 ?        00:00:00 /usr/bin/python3 /usr/local/bin/patroni /home/postgres/postgres.yml
postgres    81     1  0 19:34 ?        00:00:00 /usr/lib/postgresql/12/bin/postgres -D /home/postgres/pgdata/pgroot/data --config-file=/home/postgres/pgdata/pgroot/data/postgresql.conf --listen_addresses=* --port=5432 --cluster_name=acid-minima
postgres    82    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: logger
postgres    84    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: bg_mon
postgres    88    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: checkpointer
postgres    89    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: background writer
postgres    90    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: walwriter
postgres    91    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: autovacuum launcher
postgres    92    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: archiver
postgres    93    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: stats collector
postgres    94    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: pg_cron scheduler
postgres    95    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: TimescaleDB Background Worker Launcher
postgres    96    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: logical replication launcher
postgres   101    81  0 19:34 ?        00:00:00 postgres: acid-minimal-cluster: postgres postgres [local] idle
postgres   252     0  0 19:36 pts/0    00:00:00 bash
postgres   267   252  0 19:36 pts/0    00:00:00 ps -ef

@Jan-M
Copy link
Member

Jan-M commented Sep 11, 2020
edited
Loading

You are right, looks good to me. I got confused by the test case in there, fiddling with the default.

@Jan-M
Copy link
Member

Jan-M commented Sep 11, 2020

👍

@Jan-M
Copy link
Member

Jan-M commented Sep 11, 2020

@ricoberger Thanks for the detailed answer showing the different configurations and the output.

@sdudoladov
Copy link
Member

👍

@sdudoladov sdudoladov merged commit d09e418 into zalando:master Sep 15, 2020
@sdudoladov
Copy link
Member

thank you for the contribution, @ricoberger

marcoslarsen added a commit to marcoslarsen/postgres-operator that referenced this pull request Jan 5, 2021
@marcoslarsen
Patch v1.5.0 to set user and group in security context (zalando#1083)
7a654da
@marcoslarsen marcoslarsen mentioned this pull request Jan 5, 2021
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jan-M Jan-M Jan-M left review comments

@avaczi avaczi Awaiting requested review from avaczi

@CyberDem0n CyberDem0n Awaiting requested review from CyberDem0n

@erthalion erthalion Awaiting requested review from erthalion

@FxKu FxKu Awaiting requested review from FxKu FxKu is a code owner

@RafiaSabih RafiaSabih Awaiting requested review from RafiaSabih

@sdudoladov sdudoladov Awaiting requested review from sdudoladov sdudoladov is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ricoberger @Jan-M @sdudoladov