Run xcache as user instead of root #84
Conversation
Even in containers, it's best practice to execute code as a user rather than as root whenever possible. In addition, some multi-tenant Kubernetes systems (Red Hat OpenShift / OKD) have a default security policy that executes containers with an ephemeral UID with GID 0. This change (along with substituting go-crond for crond in the base software image) should enable running as any user with GID 0.
|
Wouldn't this break multiuser? I will ask around if that's an issue. |
| RUN groupadd -o -g 0 xrootd | ||
| RUN useradd -o -u 10940 -g 0 -s /bin/sh xrootd |
There was a problem hiding this comment.
What's this for? Does OKD not like groups?
There was a problem hiding this comment.
By default, OKD runs containers with an ephemeral UID and GID 0.
| #FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache | ||
| FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-bh AS xcache |
There was a problem hiding this comment.
| #FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache | |
| FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-bh AS xcache | |
| FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache |
looks like a leftover from testing?
There was a problem hiding this comment.
never mind, just saw your line about go-crond.
|
I don't want to get it working on OKD only to break it on vanilla Kubernetes. I created a new branch, |
2 participants
Even in containers, it's best practice to execute code as a user rather than as root whenever possible. In addition,
some multi-tenant Kubernetes systems (Red Hat OpenShift / OKD) have a default security policy that executes
containers with an ephemeral UID with GID 0. This change (along with substituting go-crond for crond in the base
software image) should enable running as any user with GID 0.