[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: MustRunAsRange vs MustRunAsNonRoot



Note that defaulting and limits are two separate passes, so even if you have access to a less restricted SCC/PSP you may be defaulted to a more restrictive one.

If you set the uid on the container directly (so that defaulting is bypassed) you should see it take effect.

On May 20, 2017, at 10:19 AM, Andrew Lau <andrew andrewklau com> wrote:

On Sat, 20 May 2017 at 23:51 Ben Parees <bparees redhat com> wrote:
On Sat, May 20, 2017 at 9:41 AM, Andrew Lau <andrew andrewklau com> wrote:
Thanks, that clarifies it a bit more.

What relationship do these UIDs have to the `docker run --user` parameter. 

it should be basically the same behavior.
 

What confuses me still is with MustRunAsRange I can start a Docker container that has no USER (ie. root). However if I go to run that same image on Docker natively with something like `docker run user=1001 redis` it'll run into permission errors.

If you oc rsh into the container on openshift and run "whoami", what user is it running as?

I get the range uid as expected:
whoami 
whoami: unknown uid 1000870000

touch /data/test (works)

ls -l / 
drwxrwsrwx 2 root 10008700 17 May 20 14:07 data

Now docker run

docker run --user=1000870000 redis:alpine 
touch /data/test 
touch: asd: Permission denied

ls -l /
drwxr-xr-x    2 redis    redis            6 May 20 14:09 data

This permission denied only effects VOLUMES, so I'm assuming openshift will update the volume ownership to match the range user.

 



On Sat, 20 May 2017 at 23:11 Clayton Coleman <ccoleman redhat com> wrote:
Range means that the uid will be defaulted and limited to the range
specified on the namespace (scc.sa.uid).  The default is the first
element in the range.

NonRoot may not apply defaulting (although technically it could), and
simply requires that the container have a non zero, numeric uid.
Defaulting is a little special here - we don't default in the API, but
instead wait until the container image is pulled.  If the image has a
user > 0 (numeric) it'll be allowed through, otherwise the pod should
be failed.

Now that we have the image resolver, it would certainly be possible to
do that calculation via image resolution and report it to get early
rejection.

> On May 20, 2017, at 6:27 AM, Andrew Lau <andrew andrewklau com> wrote:
>
> I'm looking to find some clarification on the difference between MustRunAsRange vs MustRunAsNonRoot
>
> MustRunAsRange seems to be the cluster default, this allow containers to run even if they are not having the USER definition
>
> Many pages seem to tout OpenShift does not run containers as root, and the web console also suggests it may be blocked but still lets them run.
>
> Thanks
>
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Ben Parees | OpenShift


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]