Use fixed uid/gid for vtpm container

lf-edge / eve

EVE is Edge Virtualization Engine

https://www.lfedge.org/projects/eve/

Apache License 2.0

468 stars 158 forks source link

Use fixed uid/gid for vtpm container #3999

Closed shjala closed 1 week ago

shjala commented 1 week ago

Use the fixed ids create in dom0 to run the VTPM container, this allows to run the container as non-root user and have control over the access control as described in #3989 .

linuxkit-525400123456:~# ps aux | grep vtpm
 1540 root      0:00 /usr/bin/containerd-shim-runc-v2 -namespace services.linuxkit -id vtpm -address /run/containerd/containerd.sock
 1561 vtpm      0:00 {init.sh} /bin/sh /usr/bin/init.sh
 1629 vtpm      0:00 /usr/bin/vtpm_server
 3297 root      0:00 grep vtpm

shjala commented 1 week ago

LGTM

Should we also update the hash for other references to eve-dom0-ztools ? Or are the others up to date?

don't think so, I'll do in another PR.

shjala commented 1 week ago

@eriknordmark apart from vtpm, only pillar uses lfedge/eve-dom0-ztools, I'll wait for @andrewd-zededa #3996 and then update both vtpm and pillar.