Closed lvarin closed 4 years ago
Right. I wondered, how SCC that Openshift applies affect the HOME directory. It seems that it is /
the root directory in your case for all containers and that is why your PR worked on OpenShift (in my case it is /home/taskmaster
and /root
respectively). I wonder, if that is a rule for runAsUser
that it moves home to /
. If so, I can just mount the file there and keep the hook for no SCCs. Or move the HOME elsewhere (I wanted to avoid it, but it might be the best solution).
Given that $HOME
changes between platforms, what if netrc
is mounted in /etc/netrc
instead? And the code at filer.py just looks for it in /etc/netrc
.
Or something like this?
That is possible and will work for ftplib, because we specifically pass the location to the call. There is also an env var (NETRC or similar) that we could additionally use to point to that arbitrary location and that would work for some additional tools than ftplib. Unfortunately, some tools (as Python requests
library) only seem to check HOME for .netrc.
I think I will go with that solution anyway.
And some tests of where the HOME is:
filer on K8s --> /root
taskmaster on K8s --> /home/taskmaster
filer with runAsUser --> /
taskmaster with runAsUser --> /
filer with home env set in pod descriptor to /etc/netrc --> /etc/netrc
taskmaster with home env set in pod descriptor to /etc/netrc --> /etc/netrc
filer with runAsUser and home env set in pod descriptor to /etc/netrc --> /etc/netrc
taskmaster with runAsUser and home env set in pod descriptor to /etc/netrc --> /etc/netrc
When runAsUser
is set the entire filesystem becomes read-only (I guess minus the mounts, but have not checked)
I'm not an expert, but if we configure the security context for a pod its possible to execute the commands with root privileges.
@cibinsb the problem is that the security context has been already defined (runAsUser, group, fsGroup and similar) on OpenShift and we don't want to run as root on OpenShift, unless really necessary.
But also moving the filer to a different user does not help, as the runAsUser
still moves HOME. Setting HOME seams to work though - have a look here: https://github.com/EMBL-EBI-TSI/tesk-core/pull/32
I am waiting for @lvarin to confirm that this time it works for him as well.
Hello,
The core of the problem is this:
Only root can write to
/
, and OpenShift does not run the containers as root.The log of the pod that fails:
and the describe of the pod: