On Mon, Feb 12, 2024 at 5:37 PM Antony Jose <anto346@gmail.com> wrote:
Thanks Viktor for the response. Appreciate it.I have provided an attachment with the details. Dockerfile, kubectl error log and security context construct has been provided.I am using sles15 bci as base os. Do we need add 389 user in Dockerfile?Please let me know if you want any further information.
The error:
KeyError: 'getpwuid(): uid not found: 389'
indicates that there is no 389 uid found inside the container.
When the 389-ds package is installed, dirsrv user is created by using systemd-sysusers configuration.
In Fedora/RHEL it has a preference for 389 uid/gid: https://src.fedoraproject.org/rpms/389-ds-base/blob/rawhide/f/389-ds-base.sysusers
But in SUSE it has no preference and takes the first available uid/gid: https://build.opensuse.org/package/view_file/network:ldap/389-ds/dirsrv-user.conf?expand=1
a28855ee79c7:/ # cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
dirsrv:x:499:486:User for 389 directory server:/var/lib/dirsrv:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
dirsrv:x:499:486:User for 389 directory server:/var/lib/dirsrv:/sbin/nologin
So in your case dirsrv user has 499 as the uid and 486 as gid.
I don't know how stable these mappings are.
And securityContext accepts these values as int64 only, so it's not possible to specify 'dirsrv' user:
You can add dirsrv user and group with 389 uid/gid before installing 389-ds. And then use 389 as runAsUser and fsGroup values.
HTH
On Mon, Feb 12, 2024 at 9:38 PM Viktor Ashirov <vashirov@redhat.com> wrote:Hi Antony,On Mon, Feb 12, 2024 at 3:37 PM Mark Reynolds <mareynol@redhat.com> wrote:Forwarding to the correct list....
-------- Forwarded Message --------
Subject: dscontainer as non root Date: Mon, 12 Feb 2024 20:01:09 +0530 From: Antony Jose <anto346@gmail.com> To: 389-users-owner@lists.fedoraproject.org
Hi,Can we run dscontainer as non root process. I have deployed dscontainer on k8s cluster as root user. However running as root user is not the best security practice. Is there a tested way we can reliably run ds389 as non root user. I tried tweaking security policies to use a non root user. However, I get errors during dscontainer start up.dscontainer certainly can run as non-root user, in the doc that you linked there is a securityContext section with runAsUser and fsGroup values that are set to 389, which is dirsrv user.Can you share errors that you get?Thanks.--
Took inspiration from this doc https://www.port389.org/docs/389ds/howto/howto-deploy-389ds-on-openshift.html
RegardsAntony
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--Viktor
Viktor
No comments:
Post a Comment