Re: [hono-dev] Running Docker containers as non-root user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [hono-dev] Running Docker containers as non-root user

From: Paolo Patierno <ppatierno@xxxxxxxx>
Date: Wed, 22 Nov 2017 11:09:25 +0000
Accept-language: en-US
Delivered-to: hono-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/hono-dev>
List-help: <mailto:hono-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/hono-dev>, <mailto:hono-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/hono-dev>, <mailto:hono-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHTY2k3o0ymNJZNoUi80zhBXBKwAqMgMLkAgAAMgws=
Thread-topic: [hono-dev] Running Docker containers as non-root user

In my experience, as far as I know, it's not true for Kubernetes but only for OpenShift.

As you said, OpenShift injects a temporary "non root" user for running container and accessing to file system.

It doesn't happen on Kubernetes so the container runs with root user if the "hono" user is removed.

In this case I would stick with the "hono" user.

Have you already tried this change on Kubernetes ?

Thanks

Paolo Patierno

Senior Software Engineer (IoT) @ Red Hat
Microsoft MVP on Azure & IoT

Microsoft Azure Advisor

Twitter : @ppatierno
Linkedin : paolopatierno
Blog : DevExperience

From: hono-dev-bounces@xxxxxxxxxxx <hono-dev-bounces@xxxxxxxxxxx> on behalf of Dejan Bosanac <dejanb@xxxxxxxxxxxx>
Sent: Wednesday, November 22, 2017 10:22 AM
To: hono developer discussions
Subject: Re: [hono-dev] Running Docker containers as non-root user

Sounds good to me.

On Wed, Nov 22, 2017 at 9:09 AM, Hudalla Kai (INST/ECS4) <kai.hudalla@xxxxxxxxxxxx> wrote:

Hi,

as part of building the Hono Docker images we are currently creating a "hono" (system) user which we also use to run the container (by means of Dockerfile's USER hono). However, container orchestration platforms like Openshift usually have their own means to prevent containers from being run as root, e.g. by creating a temporary user and running the container under that user (docker run --user UID:GID). In such cases we would probably interfere with such efforts, in particular when it comes to managing access to file system resources.

I therefore currently tend to remove the special "hono" user from our images and let the container orchestration platform take care of switching to a less priviledged user (if required/wanted).

Any thoughts on that?

--

Mit freundlichen Grüßen / Best regards

Kai Hudalla
Chief Software Architect

Bosch Software Innovations GmbH
Ullsteinstraße 128
12109 Berlin
GERMANY
www.bosch-si.com

Registered Office: Berlin, Registration Court: Amtsgericht Charlottenburg; HRB 148411 B
Chairman of the Supervisory Board: Dr.-Ing. Thorsten Lücke; Managing Directors: Dr.-Ing. Rainer Kallenbach, Michael Hahn

_______________________________________________
hono-dev mailing list
hono-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/hono-dev

Regards
--
Dejan Bosanac
http://sensatic.net/about

Follow-Ups:
- Re: [hono-dev] Running Docker containers as non-root user
  - From: Hudalla Kai (INST/ECS4)

References:
- [hono-dev] Running Docker containers as non-root user
  - From: Hudalla Kai (INST/ECS4)
- Re: [hono-dev] Running Docker containers as non-root user
  - From: Dejan Bosanac

Prev by Date: Re: [hono-dev] Running Docker containers as non-root user
Next by Date: Re: [hono-dev] Running Docker containers as non-root user
Previous by thread: Re: [hono-dev] Running Docker containers as non-root user
Next by thread: Re: [hono-dev] Running Docker containers as non-root user
Index(es):
- Date
- Thread

Breadcrumbs