Closed funkypenguin closed 4 years ago
axdotl
commented
4 years ago Hello. Thanks for this! Can you verify that the image is still working with this change (shame on us, that there is no CI). I tested it locally and received following error when running the image
docker: Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "chdir to cwd (\"/root\") set in config.json failed: permission denied": unknown.
funkypenguin
commented
4 years ago Ah, sorry, I left out the final commit. The problem is that the WORKDIR of /root is not accessible to the nobody user. This is fixed now, and confirmed working in my local k3s cluster:
sandbox letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
nginx-ingress letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
openldap letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
logging letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
harbor letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
concourse-main letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
default letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
topolvm-system letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
kube-node-lease letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
cert-manager letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
external-dns letsencrypt-wildcard-cert kubernetes.io/tls 3 7h9m
letsencrypt-wildcard-cert letsencrypt-wildcard-cert kubernetes.io/tls 3 7h33m
Hey Kiwis :)
This PR changes the Dockerfile to run as the "nobody" user, rather than root. This is to satisfy constraints placed on Kubernetes by PodSecurityPolicies, and makes the container run nicely on a locked-down cluster!
Cheers :) D