ORNL
[Feature] - CD Container Image deployment Configuration
Problem We Want to Solve
Certain Kubernetes clusters have reduced priviledges for security reasons, we want to make sure the containers we build are compatible with minimal priviledge images. I.e. the followin docker run command show the flags we want to support.
docker run -it \
--user $(shuf -i 10000-20000 -n 1) \
--read-only \
--tmpfs /tmp \
--security-opt no-new-privileges datafed-core:latest
usermod: Permission denied.
usermod: cannot lock /etc/passwd; try again later.
Describe the Solution You'd Like
Removing the chmod and chown commands from the entrypoint file. and running as the actual user works.
docker run --env-file .env --user datafed -v $(pwd)/passwd:/etc/passwd:ro --entrypoint /bin/bash --security-opt no-new-privileges -it datafed-core:latest
Change the passwd file to match the user id.
Alternatives (optional)
Additional context
Seeing this error if I run with host uid
user: ${host_uid}
mkdir: cannot create directory '/datafed/source/config': Permission denied
Because the datafed user is not associated with the host uid.
Seeing a permissions error when I try to write the secret key to a mounted volume when running as the datafed user, because the volume is not owned by the same uid.