Monday, February 12, 2024

[389-users] Re: Fwd: dscontainer as non root



On Mon, Feb 12, 2024 at 5:37 PM Antony Jose <anto346@gmail.com> wrote:
Thanks Viktor for the response. Appreciate it. 
 I have provided an attachment with the details. Dockerfile, kubectl error log and security context construct has been provided.

I am using sles15 bci as base os.  Do we need add 389 user in Dockerfile? 
Please let me know if you want any further information. 

The error:
KeyError: 'getpwuid(): uid not found: 389'
indicates that there is no 389 uid found inside the container.

When the 389-ds package is installed, dirsrv user is created by using systemd-sysusers configuration.
But in SUSE it has no preference and takes the first available uid/gid: https://build.opensuse.org/package/view_file/network:ldap/389-ds/dirsrv-user.conf?expand=1

a28855ee79c7:/ # cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
dirsrv:x:499:486:User for 389 directory server:/var/lib/dirsrv:/sbin/nologin

So in your case dirsrv user has 499 as the uid and 486 as gid.
I don't know how stable these mappings are.
And securityContext accepts these values as int64 only, so it's not possible to specify 'dirsrv' user:

You can add dirsrv user and group with 389 uid/gid before installing 389-ds. And then use 389 as runAsUser and fsGroup values.

HTH





On Mon, Feb 12, 2024 at 9:38 PM Viktor Ashirov <vashirov@redhat.com> wrote:
Hi Antony,

On Mon, Feb 12, 2024 at 3:37 PM Mark Reynolds <mareynol@redhat.com> wrote:

Forwarding to the correct list....



-------- Forwarded Message --------
Subject: dscontainer as non root
Date: Mon, 12 Feb 2024 20:01:09 +0530
From: Antony Jose <anto346@gmail.com>
To: 389-users-owner@lists.fedoraproject.org


Hi,
Can we run dscontainer as non root process. I have deployed dscontainer on k8s cluster as root user. However running as root user is not the best security practice. Is there a tested way we can reliably run ds389 as non root user. I tried tweaking security policies to use a non root user. However, I get errors during dscontainer start up. 
dscontainer certainly can run as non-root user, in the doc that you linked there is a securityContext section with runAsUser and fsGroup values that are set to 389, which is dirsrv user.

Can you share errors that you get?
Thanks.
 
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--
Viktor


--
Viktor

No comments:

Post a Comment