rhsyseng / container-rhel-examples Goto Github PK

Shell 10.33% Makefile 78.88% Roff 10.79%

containers docker openshift rhel7-image centos7-image openshift-origin openshift-v3

container-rhel-examples's Introduction

Getting started

Build

build rhel7 images

# build many
$ make

# or build one
$ make -C starter

build centos7 images

# build many
$ make TARGET=centos7

# or build one
$ make -C starter TARGET=centos7

Run

run a built rhel7 image

$ make run -C starter

run a built centos7 image

$ make run -C starter TARGET=centos7

Optional

Lint

lint your Dockerfiles

$ yum -y install nodejs
$ npm install -g dockerfile_lint
$ make lint

Test

rhel7

# test many images
$ make test

# or test one image
$ make test -C starter

centos7

# test many images
$ make test TARGET=centos7

# or test one image
$ make test -C starter TARGET=centos7

OpenShift Test

env setup

# login as an admin user to retrieve the registry address
$ oc login -u system:admin
$ REGISTRY=`oc get svc/docker-registry -n default --template '{{.spec.clusterIP}}:{{index .spec.ports 0 "port"}}'`
# login as a regular user before executing any tests
$ oc login -u developer -p developer

test an image in openshift

$ make openshift-test -C starter OC_USER=`oc whoami` OC_PASS=`oc whoami -t` REGISTRY=${REGISTRY}

# or test a centos7 image
$ make openshift-test -C starter TARGET=centos7 OC_USER=`oc whoami` OC_PASS=`oc whoami -t` REGISTRY=${REGISTRY}

container-rhel-examples's People

Contributors

Stargazers

Watchers

Forkers

jcpowermac codificat fbladilo pchriste aojea xiangyuwang17 tchughesiv rflorenc pollyrobin coolpalani erbrito mohankrishnavanga stonezyg duudo fintecheando tarunaz wedrinklatte gnaponie emiyaubw rrgoncalves arilivigni mirekphd srichegondi debasisdash87 daskanu ecwpz91 alexpereiramaranhao mpwusr rapnagw o10222 zlanusic alaspedro rongiard hdao02 container-projects lordraven-001 030 albamoro jonathanatsnyk karmafeast

container-rhel-examples's Issues

error for OpenShift deployments

container_linux.go:247: starting container process caused "exec: \"uid_entrypoint\": executable file not found in $PATH"

should $HOME equal $APP_ROOT

test w/ arb-uid template... maybe replace APP_ROOT w/ HOME?

write code to simplify starter-arbitrary-uid?

starter-arbitrary-uid build/run

reference putpwent function from uid hook work?
https://github.com/tchughesiv/oci-uid-hook/blob/master/src/uidhook.c#L319

update ose 3.5 repo references to 3.6

Using nsswrapper is not now recommended method.

Using nsswrapper is no longer the recommended method. The preferred suggestion now is to make /etc/passwd and /etc/group writable and add entries from the ENTRYPOINT script.

See section 'Support Arbitrary User IDs`` in:

https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines

For an actual example, which also includes updating /etc/group which sometimes is also necessary but docs don't mention, see:

https://github.com/jupyter/docker-stacks/blob/master/base-notebook/start.sh#L92

add CentOS registry links to image readme's

https://github.com/CentOS/container-index/blob/master/index.d/container-examples.yml
e.g.
$ docker pull registry.centos.org/container-examples/starter-arbitrary-uid

Making /etc/passwd group writable allows privilege escalation

This repository recommends making /etc/passwd group writable so that the uid_entrypoint script can add a user. At the very least, the uid_entrypoint script should end by removing the group write bit on the file, otherwise it could be written again to allow privilege escalation with su.

However, creating an image with a writeable /etc/passwd and relying on the entrypoint script to secure it means that any user who overrides the entrypoint in a container would lose that protection. Users do not generally expect that overriding an entrypoint will leave their container less secure. Therefore, while I believe this would be an improvement over the status quo, it is still flawed.

In general I am concerned that running as GID 0 may create similar unexpected vulnerabilities in cases where authors of other files on the system may have left them group-writable under GID 0 while not expecting a non-root user to be running with GID 0.

remove help file references... no longer necessary for certification

starter-apb stale

@jcpowermac do we update it? or remove and point folks at apb-examples if Q's arise? idk, might be nice to have a starter image that's more of a template... but its just changing so rapidly.