Giter VIP home page Giter VIP logo

Comments (7)

soltysh avatar soltysh commented on July 21, 2024 1

I'm guessing this issue should be opened against https://github.com/sclorg/s2i-base-container rather than the python image. But has my full support!

from s2i-python-container.

GrahamDumpleton avatar GrahamDumpleton commented on July 21, 2024

One thing you may have to be careful of in doing this is that you may want to skip setting up libnss_wrapper if the user ID is the default 1001 user. There would strictly be no need to do it in that case.

Not that situation would arise under OpenShift, but `libnss_wrappershould never be setup when the user ID is0``. It will not work in that situation.

This would only ever arise if for some reason someone took an image generated by S2I and used it with normal Docker service and forced it to run as root by using docker run -u option.

from s2i-python-container.

bparees avatar bparees commented on July 21, 2024

we've actually started to move away from libnss wrapper and instead are just chmod'ing /etc/passwd to make it group-writable and then updating it during startup:

https://github.com/openshift/jenkins/blob/master/2/Dockerfile#L53
https://github.com/openshift/jenkins/blob/master/2/contrib/s2i/run#L59-L61
https://github.com/openshift/jenkins/blob/master/2/contrib/jenkins/jenkins-common.sh#L12-L22

it's a much simpler approach and should address the issue described here. I would recommend the SCL images adopt it.

from s2i-python-container.

bparees avatar bparees commented on July 21, 2024

@hhorak see my last comment.

from s2i-python-container.

torsava avatar torsava commented on July 21, 2024

@bparees Does that approach have any drawbacks over libnss wrapper?

Also, I agree with @soltysh, this should be opened against s2i-base. If there's no opposition, I'll do it later today.

from s2i-python-container.

bparees avatar bparees commented on July 21, 2024

@bparees Does that approach have any drawbacks over libnss wrapper?

it makes people nervous because /etc/passwd is writable by anyone. but we haven't actually found a way to exploit that fact, so assuming someone doesn't come up with something, i don't think there are any drawbacks... from a functional perspective it's certainly much nicer/simpler.

from s2i-python-container.

hhorak avatar hhorak commented on July 21, 2024

Let's track this issue only in sclorg/s2i-base-container#116.

from s2i-python-container.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.