[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [che-dev] Ruunig Che and Che worksapce as non root user.
|
Thanks for confirming that this is now working and sharing your
solution, Son!
Dave.
On 20/03/2019 13:33, Nguyen, Son wrote:
> Hi,
>
>
>
> Things are working fine now with the nightly build.
>
> It looks like the PR and changes to
> CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER and
> CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP to use non-root
> user made it work.
>
> /projects is owned by the specified user id and belongs to the root
> group. Anything created in /projects has uid/gid set to the user/group
> specified in the configmap.yaml file.
>
> I even started Che with the same user/group values and the above
> configmap.yaml changes and things work fine.
>
>
>
> Thank you for all your feedback.
>
>
>
> Son Nguyen
>
>
>
> *From:*che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx]
> *On Behalf Of *Yevhen Ivantsov
> *Sent:* Monday, March 18, 2019 4:03 AM
> *To:* che developer discussions
> *Subject:* Re: [che-dev] Ruunig Che and Che worksapce as non root user.
>
>
>
> I wonder if this PR can fix it https://github.com/eclipse/che/pull/12892
>
>
>
> On Mon, Mar 18, 2019 at 9:42 AM Serhii Leshchenko <sleshche@xxxxxxxxxx
> <mailto:sleshche@xxxxxxxxxx>> wrote:
>
> Hi,
>
>
>
> Honestly, I would say that I'm not an advanced user of volumes but
> it's how I expect it should work:
>
> Once a volume is mounted in some location of docker image - original
> docker image folder is not accessible but that path
>
> and instead, volume folder is there (but it is not related to docker
> image folder).
>
> P.S. Maybe original docker image folder is available somewhere but I
> do not know.
>
>
>
> Maybe initContainer might help you, I mean you can specify some
> initContainer which will copy files
>
> from its folder to mount folder if needed. Then a container of a pod
> will be able to access initial data just
>
> after the start.
>
>
>
> I hope it will help.
>
> Sorry, If I'm wrong somewhere or there is an easier solution.
>
>
>
> On Fri, Mar 15, 2019 at 11:31 PM Nguyen, Son
> <Son.Nguyen@xxxxxxxxxxxxxx <mailto:Son.Nguyen@xxxxxxxxxxxxxx>> wrote:
>
> Hi Serhii,
>
>
>
> I will try your suggestion to get Che workspaces to run using
> another user id by changing configmap.yaml instead of modifying
> a specific stack to include runAsUser and fsGroup.
>
> I got Che to start under an unprivileged user by changing the
> che/template/deployment.yaml file to include
> securityContext.runAsUser and securityContext.fsGroup
>
>
>
> I am also interested in getting the initial content of a
> workspace’s /projects directory cloned to a newly created volume
> that would be mounted onto /projects.
>
> The goal is to have the content of the main container’s
> /projects shared between the main container and its sidecars.
>
> https://docs.docker.com/storage/volumes/ indicates that it is
> possible to do so but it did not work for me.
>
> I created an image, added /projects and some contents under the
> directory. But once the workspace is up and running the contents
> do not appear in /projects.
>
>
>
> Thank you for your feedback.
>
>
>
> Son
>
>
>
>
>
> *From:*che-dev-bounces@xxxxxxxxxxx
> <mailto:che-dev-bounces@xxxxxxxxxxx>
> [mailto:che-dev-bounces@xxxxxxxxxxx
> <mailto:che-dev-bounces@xxxxxxxxxxx>] *On Behalf Of *Serhii
> Leshchenko
> *Sent:* Friday, March 15, 2019 3:42 AM
> *To:* che developer discussions
> *Subject:* Re: [che-dev] Ruunig Che and Che worksapce as non
> root user.
>
>
>
> Hi,
>
>
>
> Helm chart has hardcoded values for runAsUser and fsGroup[1]
> that will be used for workspaces related pods.
>
>
>
> So,
>
> > Can this be resolved?
>
> > Is there a way to change user/group ids of /projects? If so, how?
>
>
>
> You can change values there to any you want. "NULL" if you do
> not want to set any value.
>
> You're welcome to contribute and make these properties
> configurable with helm chart values.
>
>
>
> > Are there reasons why /projects does not belong to the
> user/group as specified by the securityContext settings?
>
>
>
> Root as default was set some time ago, because otherwise there
> were issues with PVC subpathes which are used by
>
> common PVC strategy configured by default in helm chart[2]. But
> I can be wrong here.
>
>
>
> Sorry if my answer is not detailed enough but I hope it will help.
>
> Feel free to ask more if needed.
>
>
>
> Regards,
>
> Serhii.
>
>
>
> [1] https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/templates/configmap.yaml#L58-L59
>
> [2] https://github.com/eclipse/che/blob/master/deploy/kubernetes/helm/che/templates/configmap.yaml#L55
>
>
>
>
>
> On Thu, Mar 14, 2019 at 5:12 PM Nguyen, Son
> <Son.Nguyen@xxxxxxxxxxxxxx <mailto:Son.Nguyen@xxxxxxxxxxxxxx>>
> wrote:
>
> Hi,
>
>
>
> I posted this question here
> https://mattermost.eclipse.org/eclipse/channels/eclipse-che
> but had no feedback. So, I hope I can get information from
> the Che Dev community.
>
>
>
> For security reasons, I would like to start Che and
> workspaces using a custom stack as a non-root user.
>
>
>
> Using the latest Che helm chart to deploy it in a Kubernetes
> cluster, Che and Che.workspaces are run as root. At least
> that's what I see when shelling into the container and using
> the id command.
>
> I modified a custom stack and used securityContext.runAsUser
> and securityContext.fsGroup at the container level to run as
> an existing user. It seems to come up with that user id.
>
> However, the problem seems to come from the fact that
> /projects is owned by root:
>
> drwxr-xr-x. 3 root root 4096 Mar 12 19:45 /projects/
>
>
>
> Clearly, this does not bode too well with that user id when
> s/he tries to write to /projects.
>
>
>
> Can this be resolved?
> Are there reasons why /projects does not belong to the
> user/group as specified by the securityContext settings?
>
> Is there a way to change user/group ids of /projects? If so,
> how?
>
> Are there any other options?
>
>
>
> Is this a configuration matter or is Che only working with
> root privileges?
>
>
>
> Any feedback is greatly appreciated.
>
>
>
> Son Nguyen
>
>
>
> _______________________________________________
> che-dev mailing list
> che-dev@xxxxxxxxxxx <mailto:che-dev@xxxxxxxxxxx>
> To change your delivery options, retrieve your password, or
> unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/che-dev
>
>
>
>
> --
>
> *Serhii Leshchenko*
>
> SENIOR SOFTWARE ENGINEER
>
> Red Hat
>
> <https://www.redhat.com/>
>
> Image removed by sender. <https://red.ht/sig>
>
>
>
> _______________________________________________
> che-dev mailing list
> che-dev@xxxxxxxxxxx <mailto:che-dev@xxxxxxxxxxx>
> To change your delivery options, retrieve your password, or
> unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/che-dev
>
>
>
>
> --
>
> *Serhii Leshchenko*
>
> SENIOR SOFTWARE ENGINEER
>
> Red Hat
>
> <https://www.redhat.com/>
>
> Image removed by sender. <https://red.ht/sig>
>
> _______________________________________________
> che-dev mailing list
> che-dev@xxxxxxxxxxx <mailto:che-dev@xxxxxxxxxxx>
> To change your delivery options, retrieve your password, or
> unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/che-dev
>
>
>
>
> --
>
> *EUGENE IVANTSOV*
>
> Red Hat
>
> <https://www.redhat.com/>
>
> eivantsov@xxxxxxxxxx <mailto:eivantsov@xxxxxxxxxx>
>
> Image removed by sender. <https://red.ht/sig>
>
>
>
>
> _______________________________________________
> che-dev mailing list
> che-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/che-dev
>
--
Dave Neary - Eclipse Che Ecosystem & Community Manager
Open Source and Standards - Red Hat
E: dneary@xxxxxxxxxx / T: @nearyd / Ph: +1-978-799-3338