Closed sayantandas closed 2 years ago
fescobar
commented
3 years ago @sayantandas the only alternative is removing the user from the docker file and rebuild the image. I don't understand why OpenShift doesn't allow you to override the user. You can do that in EKS and GKE.
sayantandas
commented
3 years ago @sayantandas the only alternative is removing the user from the docker file and rebuild the image. I don't understand why OpenShift doesn't allow you to override the user. You can do that in EKS and GKE.
Hi @fescobar , it is due to security at organization level. On a local setup of OpenShift this would work fine
fescobar
commented
3 years ago @sayantandas for security reasons you shouldn't use your root user in the container. If you are hacked, the hacker will have root access and could do whatever he wants. For that reason, it's recommended to use a different user with fewer privileges.
https://snyk.io/blog/10-docker-image-security-best-practices/ (2. Least privileged user)
When a Dockerfile doesn’t specify a USER, it defaults to executing the container using the root user. In practice, there are very few reasons why the container should have root privileges and it could very well manifest as a docker security issue. Docker defaults to running containers using the root user. When that namespace is then mapped to the root user in the running container, it means that the container potentially has root access on the Docker host. Having an application on the container run with the root user further broadens the attack surface and enables an easy path to privilege escalation if the application itself is vulnerable to exploitation.As I said before, you need to rebuild the docker image and publish in your own docker registry.
sayantandas
commented
3 years ago @sayantandas for security reasons you shouldn't use your root user in the container. If you are hacked, the hacker will have root access and could do whatever he wants. For that reason, it's recommended to use a different user with fewer privileges.
https://snyk.io/blog/10-docker-image-security-best-practices/ (2. Least privileged user)
When a Dockerfile doesn’t specify a USER, it defaults to executing the container using the root user. In practice, there are very few reasons why the container should have root privileges and it could very well manifest as a docker security issue. Docker defaults to running containers using the root user. When that namespace is then mapped to the root user in the running container, it means that the container potentially has root access on the Docker host. Having an application on the container run with the root user further broadens the attack surface and enables an easy path to privilege escalation if the application itself is vulnerable to exploitation.As I said before, you need to rebuild the docker image and publish in your own docker registry.
Sure. Will try to do that.
sayantandas
commented
3 years ago I was able to custom build and deploy the image by changing ownership from node:node to 100100000: 100100000. This enabled me to also expose the route and connect via port 5252. However, the login page doesn't appear. It shows some security error.
Cannot read property 'security_enabled' of undefined
sayantandas
commented
3 years ago I was able to fix it by changing the permissions for $ROOT on both allure-docker-service and allure-docker-service-ui and rebuilding them.
I am now able to bring up the allure UI login page in Openshift . I don't know any login credentials though. The creds from allure-secret doesn't work. Any pointers would be very helpful.
fescobar
commented
3 years ago @sayantandas use the credentials defined in the backend container https://github.com/fescobar/allure-docker-service#enable-security Show your console log (network tab) in your browser
fescobar
commented
2 years ago
Hi, Our Openshift platform doesn't allow IDs less than 100100000. Run as user 1000 is not possible. Hence /app/run.sh gets permission denied. Please suggest an alternative way if possible.
Openshift version : 3.11