mysql-operator icon indicating copy to clipboard operation
mysql-operator copied to clipboard

Published 20 hours ago verified publisher icon oracle

Reference the numerical UID for the Docker images to run as.

Open KashifSaadat opened this issue 6 years ago • 7 comments

In Kubernetes when making use of PodSecurityPolicies with MustRunAsNonRoot set, the kubelet rejects any pods with a non-numeric USER.

Changes:

  • For the mysql-agent image, reference the numerical id for the mysql user (created as part of the package install in the source image)
  • For the mysql-operator image, create and reference a non-root user to run the image with

KashifSaadat avatar Sep 17 '18 11:09 KashifSaadat

Just a note on this.. I'm not overly keen on specifying the ID for the mysql user directly in the Dockerfile as that user is created via package install in the source image (we don't have control on the id for the user, unless we create a new different user and chown file permissions).

Unfortunately there doesn't appear to be a way to export the value of a RUN command (such as id -u mysql) to then pass into the USER command. The way to do it would be to execute something like the following in the Makefile (with relevant error handling):

MYSQL_UID=`docker run --entrypoint id mysql/mysql-server:8.0.12 -u mysql`
docker build --build-arg MYSQL_UID=${MYSQL_UID} -t mysql-agent -f docker/mysql-agent/Dockerfile .

If that is preferred, let me know and I can change the approach in the PR.

KashifSaadat avatar Sep 17 '18 13:09 KashifSaadat

@KashifSaadat Would using https://github.com/tianon/gosu / https://github.com/ncopa/su-exec in an entrypoint script solve the issue without requiring the hardcoding of a uid we don't control?

prydie avatar Sep 17 '18 13:09 prydie

Hey @prydie, unfortunately no. The code in Kubernetes for verifyRunAsNonRoot checks the ImageSpec for the built image before execution, validating that the User attribute is defined as expected. Related code is here: https://github.com/kubernetes/kubernetes/blob/v1.11.3/pkg/kubelet/kuberuntime/kuberuntime_container.go#L191-L199

A user can get around this by defining the securityContext in their PodSpec similar to below (which takes precedence over the check on the ImageSpec):

securityContext:
  runAsUser: 27

KashifSaadat avatar Sep 17 '18 13:09 KashifSaadat

I have added a second commit to avoid hardcoding the UID for the mysql-agent image build: https://github.com/oracle/mysql-operator/pull/219/commits/05101342be9c7b76ba3ab394d8a082a8a1cc79c5

Just more bash in the Makefile unfortunately.

KashifSaadat avatar Sep 18 '18 10:09 KashifSaadat

@KashifSaadat Currently the project wercker.yml doesn't use the Dockerfiles to create the images as previously Wercker didn't support building images directly from Dockerfiles.

For your change to have any effect on the release / CI images we need to change how we build images in the Wercker pipeline (see: here). Are you interested in giving it a shot?

prydie avatar Sep 19 '18 13:09 prydie

Hey @prydie, I've never used wercker before but given it a go, commits (I can squash / cleanup once we have the right approach):

  1. https://github.com/oracle/mysql-operator/pull/219/commits/d4dbddca833deeb63e02d6651aaf9487b1f42608 (image builds in separate pipeline)
  2. https://github.com/oracle/mysql-operator/pull/219/commits/ac30cd3145496cfd2bfa1a3337540719d3d4291d (re-use existing and change steps)

Could you suggest the best way to validate this? I've added and reworked the existing build pipelines, although I can't seem to see the new steps being executed or the log output of push-operator-image, which is now failing. Do you manually control / enable pipelines within the repo settings in wercker?

KashifSaadat avatar Sep 19 '18 15:09 KashifSaadat

I've activated the repo in wercker for my fork to attempt to debug this further, ran into a few issues:

  • With the approach of re-using the Makefile steps (running docker commands to build): https://devcenter.wercker.com/development/pipelines/direct-docker-access/
    • Turns out I can't do this, because of the note at the top of the page: This is a new feature and is currently restricted to specific users. Contact the Wercker team if you would like to use it. - Would you be able to request and have this enabled for the project?
  • Using the internal/ docker steps:
    • I attempt to follow the same process as in the Makefile, extracting the mysql-agent image from the Dockerfile to docker-run and get the UID. This fails, because when referencing the env variable in a script step to the docker-run step, for some reason it fails to parse and complains that image has not been set. If I directly set the image name, the next problem is actually running a docker exec / command to extract the UID for following steps (doesn't seem to be possible due to limitations with the internal steps).
    • ~If I ignore the above and just try to do a simple internal/docker-build, referencing the Dockerfile and build-args (as per: https://devcenter.wercker.com/administration/containers/building-an-image/#properties), it just fails immediately with 0 log output.~ Possibly a bug, only occurs if I have a different base-path set.

Any thoughts?

KashifSaadat avatar Sep 20 '18 11:09 KashifSaadat