[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: MustRunAsRange vs MustRunAsNonRoot



Thanks, that clarifies it a bit more.

What relationship do these UIDs have to the `docker run --user` parameter. 

What confuses me still is with MustRunAsRange I can start a Docker container that has no USER (ie. root). However if I go to run that same image on Docker natively with something like `docker run user=1001 redis` it'll run into permission errors.

On Sat, 20 May 2017 at 23:11 Clayton Coleman <ccoleman redhat com> wrote:
Range means that the uid will be defaulted and limited to the range
specified on the namespace (scc.sa.uid).  The default is the first
element in the range.

NonRoot may not apply defaulting (although technically it could), and
simply requires that the container have a non zero, numeric uid.
Defaulting is a little special here - we don't default in the API, but
instead wait until the container image is pulled.  If the image has a
user > 0 (numeric) it'll be allowed through, otherwise the pod should
be failed.

Now that we have the image resolver, it would certainly be possible to
do that calculation via image resolution and report it to get early
rejection.

> On May 20, 2017, at 6:27 AM, Andrew Lau <andrew andrewklau com> wrote:
>
> I'm looking to find some clarification on the difference between MustRunAsRange vs MustRunAsNonRoot
>
> MustRunAsRange seems to be the cluster default, this allow containers to run even if they are not having the USER definition
>
> Many pages seem to tout OpenShift does not run containers as root, and the web console also suggests it may be blocked but still lets them run.
>
> Thanks
>
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]