openshift-docs icon indicating copy to clipboard operation
openshift-docs copied to clipboard
verified publisher icon openshift

RHDEVDOCS 3306: Document running image build tasks as unprivileged bu…

Open sounix000 opened this issue 3 years ago • 1 comments

  • Aligned team: Dev Tools
  • OCP version for cherry-picking: enterprise-4.10, enterprise-4.11, enterprise-4.12
  • JIRA issues: RHDEVDOCS-3306 Document running image build tasks as unprivileged builds
  • Preview pages: http://file.pnq.redhat.com/sosarkar/3306-unprivileged-builds/cicd/pipelines/running-workloads-and-buildah-as-user-namespaces-on-openshift-pipelines.html
  • SME review: @chmouel
  • QE review: @VeereshAradhya or @ppitonak
  • Peer-review: TBD

sounix000 avatar Sep 14 '22 10:09 sounix000

🤖 Updated build preview is available at: https://50364--docspreview.netlify.app

Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/4825

ocpdocs-previewbot avatar Sep 21 '22 10:09 ocpdocs-previewbot

NOTE to self: Work on https://issues.redhat.com/browse/RHDEVDOCS-4657 immediately after closing this PR.

sounix000 avatar Nov 02 '22 12:11 sounix000

lgtm

bburt-rh avatar Nov 02 '22 14:11 bburt-rh

Current discussion test for testing: https://coreos.slack.com/archives/CG5GV6CJD/p1667818845838809

sounix000 avatar Nov 07 '22 11:11 sounix000

Run it as a root in the container and user on the host, this uses user-namespace on the host (so.. annotation required). See frasertweedale.github.io/blog-redhat/posts/2022-02-02-openshift-user-ns-without-anyuid.html for the idea. This, today, doesn't work (as the default seccomp profile disallow unshare which make buildah useless)

what is the point of this? that's the default behavior ?

we should come up with one default advised use case for users.

Run it as user in the container and a different user on the host, with annotation. This seems to be what's documented, and I have no idea if this works, but this is probably the least reliable one to use.

this use case is what is presented by buildah to build container (altho limited by some functionality) as user and running as non root on host....

chmouel avatar Nov 07 '22 11:11 chmouel

but this is probably the least reliable one to use

@vdemeester what do you mean? That one image gets built but another one not or that it might not work in new version of OpenShift?

ppitonak avatar Nov 07 '22 11:11 ppitonak

/hold

vdemeester avatar Nov 07 '22 11:11 vdemeester

what is the point of this? that's the default behavior ?

The default behavior is that the userid on the container is the same as the userid in the node (This is why openshift uses random uid by default, etc..). Today if we run buildah as root (with anyuid SCC) the user on the node is also root. User namespaces on the "cluster"/"node" level allows a user to run a container as root (aka userid 0 in the container) while not being root on the host, meaning, well, if you manage to escape from the container, your are not as root in the container, so you need yet another "privilege escalation" to harm the node. The only "point of this", is that, in theory (aka if you remove seccomp from the picture), this could work out of the box, with restricted SCC (as documented here : https://frasertweedale.github.io/blog-redhat/posts/2022-02-02-openshift-user-ns-without-anyuid.html — the use is root inside the container, with restricted SCC).

@vdemeester what do you mean? That one image gets built but another one not or that it might not work in new version of OpenShift?

This is a "matrix" problem really. Running as user in a user namespace means that you have 2 levels of "mapping" — inside the container, buildah will map root (in the container used to build inside the container that runs the buildah process) to a user, and because usernamespace is used from container (that runs the buildah process) to the host, it will map the user that buildah runs with, to another user on the host. This is very slipery 😓.

vdemeester avatar Nov 07 '22 11:11 vdemeester

@vdemeester / @ppitonak / @chmouel : Gentle ping, to keep this PR alive.

sounix000 avatar Nov 15 '22 11:11 sounix000

New changes are detected. LGTM label has been removed.

openshift-ci[bot] avatar Nov 18 '22 10:11 openshift-ci[bot]

/remove-hold

sounix000 avatar Dec 01 '22 14:12 sounix000

@jc-berger: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Dec 07 '22 15:12 openshift-ci[bot]

/cherry-pick enterprise-4.10

gabriel-rh avatar Dec 08 '22 10:12 gabriel-rh

/cherry-pick enterprise-4.11

gabriel-rh avatar Dec 08 '22 10:12 gabriel-rh

/cherry-pick enterprise-4.12

gabriel-rh avatar Dec 08 '22 10:12 gabriel-rh

@gabriel-rh: new pull request created: #53586

In response to this:

/cherry-pick enterprise-4.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-cherrypick-robot avatar Dec 08 '22 10:12 openshift-cherrypick-robot

@gabriel-rh: new pull request created: #53587

In response to this:

/cherry-pick enterprise-4.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-cherrypick-robot avatar Dec 08 '22 10:12 openshift-cherrypick-robot

@gabriel-rh: new pull request created: #53588

In response to this:

/cherry-pick enterprise-4.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-cherrypick-robot avatar Dec 08 '22 10:12 openshift-cherrypick-robot