Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [hono-dev] Running Docker containers as non-root user
On 22.11.2017 12:09, Paolo Patierno wrote:

In my experience, as far as I know, it's not true for Kubernetes but only for OpenShift.

Yes, Kubernetes just runs the container "as-is".

As you said, OpenShift injects a temporary "non root" user for running container and accessing to file system.

It doesn't happen on Kubernetes so the container runs with root user if the "hono" user is removed.

In this case I would stick with the "hono" user.


Yes, the container would run as root in this case, unless you add corresponding params to the deployment spec for running it as a another user. My point is not that I think running as root is the best thing to do but instead my point is that I would like to not interfere with the container orchestrator's means to handle this. So, if you are concerned to run the Hono container on Kubernetes as root, simply change it to another user by means of specifying a SecurityContext for the pod.

Have you already tried this change on Kubernetes ?

yes, runs without a problem on minikube.


Thanks


Paolo Patierno
Senior Software Engineer (IoT) @ Red Hat
Microsoft MVP on Azure & IoT
Microsoft Azure Advisor 

Twitter : @ppatierno
Linkedin : paolopatierno
Blog : DevExperience


From: hono-dev-bounces@xxxxxxxxxxx <hono-dev-bounces@xxxxxxxxxxx> on behalf of Dejan Bosanac <dejanb@xxxxxxxxxxxx>
Sent: Wednesday, November 22, 2017 10:22 AM
To: hono developer discussions
Subject: Re: [hono-dev] Running Docker containers as non-root user
 
Sounds good to me.

On Wed, Nov 22, 2017 at 9:09 AM, Hudalla Kai (INST/ECS4) <kai.hudalla@xxxxxxxxxxxx> wrote:

Hi,

as part of building the Hono Docker images we are currently creating a "hono" (system) user which we also use to run the container (by means of Dockerfile's USER hono). However, container orchestration platforms like Openshift usually have their own means to prevent containers from being run as root, e.g. by creating a temporary user and running the container under that user (docker run --user UID:GID). In such cases we would probably interfere with such efforts, in particular when it comes to managing access to file system resources.

I therefore currently tend to remove the special "hono" user from our images and let the container orchestration platform take care of switching to a less priviledged user (if required/wanted).

Any thoughts on that?

--

Mit freundlichen Grüßen / Best regards

Kai Hudalla
Chief Software Architect

Bosch Software Innovations GmbH
Ullsteinstraße 128
12109 Berlin
GERMANY
www.bosch-si.com

Registered Office: Berlin, Registration Court: Amtsgericht Charlottenburg; HRB 148411 B
Chairman of the Supervisory Board: Dr.-Ing. Thorsten Lücke; Managing Directors: Dr.-Ing. Rainer Kallenbach, Michael Hahn


_______________________________________________
hono-dev mailing list
hono-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/hono-dev




--
Regards
--
Dejan Bosanac
http://sensatic.net/about


_______________________________________________
hono-dev mailing list
hono-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/hono-dev

--

Mit freundlichen Grüßen / Best regards

Kai Hudalla
Chief Software Architect

Bosch Software Innovations GmbH
Ullsteinstraße 128
12109 Berlin
GERMANY
www.bosch-si.com

Registered Office: Berlin, Registration Court: Amtsgericht Charlottenburg; HRB 148411 B
Chairman of the Supervisory Board: Dr.-Ing. Thorsten Lücke; Managing Directors: Dr.-Ing. Rainer Kallenbach, Michael Hahn

Back to the top