TESK icon indicating copy to clipboard operation
TESK copied to clipboard

Published 20 hours ago verified publisher icon elixir-cloud-aai

Containers are run as root

Open uniqueg opened this issue 3 years ago • 3 comments

The current implementation runs all containers as root. This is not necessary and a security concern. Re-factor to run containers as non-privileged users instead.

uniqueg avatar Nov 06 '21 12:11 uniqueg

Requested by Czech ELIXIR node, see here: https://docs.google.com/spreadsheets/d/1vBFhBQ-nFqhSL5dLjQfOWO6x9BzmV9x6l18p9GYRZdQ/edit#gid=0

Contacts: @xhejtman & @viktoriaas

uniqueg avatar Nov 06 '21 12:11 uniqueg

OpenShift runs then as a non root user by default, so this should be easy to solve by changing the HELM charts for the kubernetes templates.

lvarin avatar Nov 08 '21 07:11 lvarin

There is also an issue #113 which appears when an executor is run as a non-root user and it most probably causes problems with permissions to access files creates by a root-run filer. It is not enough to change the user in the container of filer, as it is likely to cause even more issues with file access. The solution would be as @lvarin suggests, to force securityContext via K8s (runAsUser and sth to coordinate file access).

aniewielska avatar Nov 08 '21 13:11 aniewielska