Re: [che-dev] Ruunig Che and Che worksapce as non root user.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [che-dev] Ruunig Che and Che worksapce as non root user.

From: Serhii Leshchenko <sleshche@xxxxxxxxxx>
Date: Fri, 15 Mar 2019 09:41:57 +0200
Delivered-to: che-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/che-dev>
List-help: <mailto:che-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/che-dev>, <mailto:che-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/che-dev>, <mailto:che-dev-request@eclipse.org?subject=unsubscribe>

Hi,

Helm chart has hardcoded values for runAsUser and fsGroup[1] that will be used for workspaces related pods.

So,

> Can this be resolved?

> Is there a way to change user/group ids of /projects? If so, how?

You can change values there to any you want. "NULL" if you do not want to set any value.

You're welcome to contribute and make these properties configurable with helm chart values.

> Are there reasons why /projects does not belong to the user/group as specified by the securityContext settings?

Root as default was set some time ago, because otherwise there were issues with PVC subpathes which are used by

common PVC strategy configured by default in helm chart[2]. But I can be wrong here.

Sorry if my answer is not detailed enough but I hope it will help.

Feel free to ask more if needed.

Regards,

Serhii.

[1] https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/templates/configmap.yaml#L58-L59

[2] https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/templates/configmap.yaml#L55

On Thu, Mar 14, 2019 at 5:12 PM Nguyen, Son <Son.Nguyen@xxxxxxxxxxxxxx> wrote:

Hi,

I posted this question here https://mattermost.eclipse.org/eclipse/channels/eclipse-che but had no feedback. So, I hope I can get information from the Che Dev community.

For security reasons, I would like to start Che and workspaces using a custom stack as a non-root user.

Using the latest Che helm chart to deploy it in a Kubernetes cluster, Che and Che.workspaces are run as root. At least that's what I see when shelling into the container and using the id command.

I modified a custom stack and used securityContext.runAsUser and securityContext.fsGroup at the container level to run as an existing user. It seems to come up with that user id.

However, the problem seems to come from the fact that /projects is owned by root:

drwxr-xr-x. 3 root root 4096 Mar 12 19:45 /projects/

Clearly, this does not bode too well with that user id when s/he tries to write to /projects.

Can this be resolved?
Are there reasons why /projects does not belong to the user/group as specified by the securityContext settings?

Is there a way to change user/group ids of /projects? If so, how?

Are there any other options?

Is this a configuration matter or is Che only working with root privileges?

Any feedback is greatly appreciated.

Son Nguyen

_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/che-dev

Serhii Leshchenko

SENIOR SOFTWARE ENGINEER

Red Hat

Follow-Ups:
- Re: [che-dev] Ruunig Che and Che worksapce as non root user.
  - From: Nguyen, Son

References:
- [che-dev] Ruunig Che and Che worksapce as non root user.
  - From: Nguyen, Son

Prev by Date: Re: [che-dev] Last Che community meeting recordings
Next by Date: Re: [che-dev] Ruunig Che and Che worksapce as non root user.
Previous by thread: [che-dev] Ruunig Che and Che worksapce as non root user.
Next by thread: Re: [che-dev] Ruunig Che and Che worksapce as non root user.
Index(es):
- Date
- Thread

Breadcrumbs