Re: [che-dev] Ruunig Che and Che worksapce as non root user.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [che-dev] Ruunig Che and Che worksapce as non root user.

From: "Nguyen, Son" <Son.Nguyen@xxxxxxxxxxxxxx>
Date: Wed, 20 Mar 2019 17:33:31 +0000
Accept-language: en-US
Delivered-to: che-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/che-dev>
List-help: <mailto:che-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/che-dev>, <mailto:che-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/che-dev>, <mailto:che-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AdTaeDZ8KX7S712TR2qjT+Xvb2JKRAAgfjGAAB5PqBAAeJGkgAAAuMeAAHpM4MA=
Thread-topic: [che-dev] Ruunig Che and Che worksapce as non root user.

Hi,

Things are working fine now with the nightly build.

It looks like the PR and changes to CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER and CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP to use non-root user made it work.

/projects is owned by the specified user id and belongs to the root group. Anything created in /projects has uid/gid set to the user/group specified in the configmap.yaml file.

I even started Che with the same user/group values and the above configmap.yaml changes and things work fine.

Thank you for all your feedback.

Son Nguyen

From: che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx] On Behalf Of Yevhen Ivantsov
Sent: Monday, March 18, 2019 4:03 AM
To: che developer discussions
Subject: Re: [che-dev] Ruunig Che and Che worksapce as non root user.

I wonder if this PR can fix it https://github.com/eclipse/che/pull/12892

On Mon, Mar 18, 2019 at 9:42 AM Serhii Leshchenko <sleshche@xxxxxxxxxx> wrote:

Hi,

Honestly, I would say that I'm not an advanced user of volumes but it's how I expect it should work:

Once a volume is mounted in some location of docker image - original docker image folder is not accessible but that path

and instead, volume folder is there (but it is not related to docker image folder).

P.S. Maybe original docker image folder is available somewhere but I do not know.

Maybe initContainer might help you, I mean you can specify some initContainer which will copy files

from its folder to mount folder if needed. Then a container of a pod will be able to access initial data just

after the start.

I hope it will help.

Sorry, If I'm wrong somewhere or there is an easier solution.

On Fri, Mar 15, 2019 at 11:31 PM Nguyen, Son <Son.Nguyen@xxxxxxxxxxxxxx> wrote:

Hi Serhii,

I will try your suggestion to get Che workspaces to run using another user id by changing configmap.yaml instead of modifying a specific stack to include runAsUser and fsGroup.

I got Che to start under an unprivileged user by changing the che/template/deployment.yaml file to include securityContext.runAsUser and securityContext.fsGroup

I am also interested in getting the initial content of a workspace’s /projects directory cloned to a newly created volume that would be mounted onto /projects.

The goal is to have the content of the main container’s /projects shared between the main container and its sidecars.

https://docs.docker.com/storage/volumes/ indicates that it is possible to do so but it did not work for me.

I created an image, added /projects and some contents under the directory. But once the workspace is up and running the contents do not appear in /projects.

Thank you for your feedback.

Son

From: che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx] On Behalf Of Serhii Leshchenko
Sent: Friday, March 15, 2019 3:42 AM
To: che developer discussions
Subject: Re: [che-dev] Ruunig Che and Che worksapce as non root user.

Hi,

Helm chart has hardcoded values for runAsUser and fsGroup[1] that will be used for workspaces related pods.

So,

> Can this be resolved?

> Is there a way to change user/group ids of /projects? If so, how?

You can change values there to any you want. "NULL" if you do not want to set any value.

You're welcome to contribute and make these properties configurable with helm chart values.

> Are there reasons why /projects does not belong to the user/group as specified by the securityContext settings?

Root as default was set some time ago, because otherwise there were issues with PVC subpathes which are used by

common PVC strategy configured by default in helm chart[2]. But I can be wrong here.

Sorry if my answer is not detailed enough but I hope it will help.

Feel free to ask more if needed.

Regards,

Serhii.

[1] https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/templates/configmap.yaml#L58-L59

[2] https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/templates/configmap.yaml#L55

On Thu, Mar 14, 2019 at 5:12 PM Nguyen, Son <Son.Nguyen@xxxxxxxxxxxxxx> wrote:

Hi,

I posted this question here https://mattermost.eclipse.org/eclipse/channels/eclipse-che but had no feedback. So, I hope I can get information from the Che Dev community.

For security reasons, I would like to start Che and workspaces using a custom stack as a non-root user.

Using the latest Che helm chart to deploy it in a Kubernetes cluster, Che and Che.workspaces are run as root. At least that's what I see when shelling into the container and using the id command.

I modified a custom stack and used securityContext.runAsUser and securityContext.fsGroup at the container level to run as an existing user. It seems to come up with that user id.

However, the problem seems to come from the fact that /projects is owned by root:

drwxr-xr-x. 3 root root 4096 Mar 12 19:45 /projects/

Clearly, this does not bode too well with that user id when s/he tries to write to /projects.

Can this be resolved?
Are there reasons why /projects does not belong to the user/group as specified by the securityContext settings?

Is there a way to change user/group ids of /projects? If so, how?

Are there any other options?

Is this a configuration matter or is Che only working with root privileges?

Any feedback is greatly appreciated.

Son Nguyen

_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/che-dev

--

Serhii Leshchenko

SENIOR SOFTWARE ENGINEER

Red Hat

_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/che-dev

--

Serhii Leshchenko

SENIOR SOFTWARE ENGINEER

Red Hat

_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/che-dev

EUGENE IVANTSOV

Red Hat

eivantsov@xxxxxxxxxx

Follow-Ups:
- Re: [che-dev] Ruunig Che and Che worksapce as non root user.
  - From: Dave Neary

References:
- [che-dev] Ruunig Che and Che worksapce as non root user.
  - From: Nguyen, Son
- Re: [che-dev] Ruunig Che and Che worksapce as non root user.
  - From: Serhii Leshchenko
- Re: [che-dev] Ruunig Che and Che worksapce as non root user.
  - From: Nguyen, Son
- Re: [che-dev] Ruunig Che and Che worksapce as non root user.
  - From: Serhii Leshchenko
- Re: [che-dev] Ruunig Che and Che worksapce as non root user.
  - From: Yevhen Ivantsov

Prev by Date: [che-dev] Minutes and video for last Che Community Call
Next by Date: Re: [che-dev] Ruunig Che and Che worksapce as non root user.
Previous by thread: Re: [che-dev] Ruunig Che and Che worksapce as non root user.
Next by thread: Re: [che-dev] Ruunig Che and Che worksapce as non root user.
Index(es):
- Date
- Thread

Breadcrumbs