By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
This pull request adds support for running the image with an arbitrarily assigned user ID. Without this pods using this image on openshift will crash loop due to filesystem permission errors.
If the intent of this image is to only ever run in docker then this pull request can be closed and I can maintain a fork but it's such a small change to allow support for running under arbitrary user ID's that it would be good to include it upstream here if possible.
By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.
Description of changes:
By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions: Refer https://docs.openshift.com/container-platform/4.12/openshift_images/create-images.html#images-create-guide-openshift_create-images
This pull request adds support for running the image with an arbitrarily assigned user ID. Without this pods using this image on openshift will crash loop due to filesystem permission errors.
If the intent of this image is to only ever run in docker then this pull request can be closed and I can maintain a fork but it's such a small change to allow support for running under arbitrary user ID's that it would be good to include it upstream here if possible.
By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.