Open mmontes11 opened 2 days ago
Can't really: https://mariadb.com/kb/en/docker-official-image-frequently-asked-questions/#why-does-the-mariadb-container-start-as-root
See #461
Certification provides the option "Indicate that the container requires privileged host-level access in the certification project settings. This setting is subject to Red Hat review."
While k8s provides init containers, the base container as a singleton can't.
Note: "Red Hat" - always two words.
@tianon @yosifkit,
@mmontes11 is right, named volumes get permissions of USER
from ~3 years ago at least - https://github.com/containers/podman/issues/10776. Think its fair to add USER
and/or remove the gosu
exec dance?
A reworking of the test from #461 (which failed due to a second mounting problem fixed in v5.1.0):
$ podman volume rm us
us
$ podman volume create us
us
$ cd /tmp
$ mkdir b
$ cd b
$ vi Dockerfile
$ cat Dockerfile
FROM ubuntu:22.04
# Create user and group
RUN groupadd -g 2000 dailyprophet
RUN useradd -u 2001 -g 2000 dailyprophet
# Set ownership of the mysql directory
RUN mkdir -p /test && chown -R dailyprophet:dailyprophet /test
USER dailyprophet
VOLUME /test
(base)
/tmp/b
$ buildah bud --tag dailyprofit .
STEP 1/6: FROM ubuntu:22.04
Trying to pull docker.io/library/ubuntu:22.04...
Getting image source signatures
Copying blob 3713021b0277 done |
Copying config 8a3cdc4d1a done |
Writing manifest to image destination
STEP 2/6: RUN groupadd -g 2000 dailyprophet
--> e3c3b9e578cf
STEP 3/6: RUN useradd -u 2001 -g 2000 dailyprophet
--> 4e5aa92ed8c6
STEP 4/6: RUN mkdir -p /test && chown -R dailyprophet:dailyprophet /test
--> f368d0e6f2ee
STEP 5/6: USER dailyprophet
--> 9e9235a0bd84
STEP 6/6: VOLUME /test
COMMIT dailyprofit
--> 8c6f295a3d36
Successfully tagged localhost/dailyprofit:latest
8c6f295a3d364b3e1c77a41c43bdea3a5756c60db2c3836c7b90c27e211a9e9b
$ podman run --rm dailyprofit ls -la /test
total 12
drwxr-xr-x. 2 dailyprophet dailyprophet 4096 Jul 4 08:59 .
dr-xr-xr-x. 1 root root 4096 Jul 4 09:00 ..
$ podman run --rm -v us:/test dailyprofit ls -la /test
total 12
drwxr-xr-x. 2 dailyprophet dailyprophet 4096 Jul 4 08:59 .
dr-xr-xr-x. 1 root root 4096 Jul 4 09:00 ..
$ podman run --rm -v us:/test dailyprofit touch /test/make_a_file.txt
$ podman --version
podman version 5.1.1
$ podman run --rm -v us:/test dailyprofit ls -la /test
total 12
drwxr-xr-x. 2 dailyprophet dailyprophet 4096 Jul 4 09:01 .
dr-xr-xr-x. 1 root root 4096 Jul 4 09:03 ..
-rw-r--r--. 1 dailyprophet dailyprophet 0 Jul 4 09:01 make_a_file.txt
Think its fair to add USER and/or remove the gosu exec dance?
That would be ideal, yes, but it might not be a trivial refactor. The USER
statement would work regardless having the gosu
dance or not. I leave it up to you 😄
Explicitly declare
mysql
as the container user to be compliant with RedHat container certification :RunAsNonRoot
requirement)Without this, the certifications tests fail:
But it can easily fixed by adding
USER mysql
: