staroids / community

Staroid is a cloud platform for open-source project that funds developers.
https://staroid.com
9 stars 1 forks source link

Cluster does not grant sudo #15

Open sr229 opened 4 years ago

sr229 commented 4 years ago

Apparently sandboxed containers do not grant sudo, which is required from Containers like Cloud9 and VSCode. I, as a developer, would expect these stacks to just work outside the box like a real machine, and apparently the gVisor containers don't allow such.

staroider commented 4 years ago

Thank @sr229 for the feedback.

We currently forces non-root container for security reason. See https://engineering.bitnami.com/articles/running-non-root-containers-on-openshift.html. We'd like to allow root container if they can give the same level of security. Unfortunately, we had to choose only one between security and allowing root container, in today's technology. And we think providing enterprise level of security for user benefits more.

Please share us if you have a great solution for this!

sr229 commented 4 years ago

I think Kata containers as a isolation solution would have done the job of what Dedicated would be doing since it should allow root access to a container but completely isolates the damage on that specific container only IMO, this would allow fine grained resource constraints the same as gVisor-bavked containers does as well.

staroider commented 4 years ago

We researched Kata container a little bit and it looks promising. However there're few things that make it difficult to adopt it right now. We'll continue to evaluate this and more technologies to remove non-root container restrictions.

Thank @sr229 for the suggestion!

sr229 commented 4 years ago

Another thing to note is Kata Containers has a AWS Firecracker backend you can use (which is used at AWS in production) - so Kata Containers has been production-proven.