You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/04/07 19:41:19 UTC

[GitHub] [cloudstack-kubernetes-provider] joschi36 opened a new pull request #25: use non-root container

joschi36 opened a new pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25


   I have detected that our container
   1. does run as root user
   2. can't run as non-root user
   
   Therefore, I updated the deployment to run as user 1000 by default and moved the binary out of the `/root/` directory.
   
   Also, I changed the `CMD` to `ENTRYPOINT`, so you can use `args` in the Kubernetes deployment. Then you don't need to know the command to start the daemon and can just add multiple arguments
   
   Ref:
   - https://amazicworld.com/get-the-evil-out-dont-run-containers-as-root/
   - https://engineering.bitnami.com/articles/why-non-root-containers-are-important-for-security.html


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] joschi36 commented on pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

joschi36 commented on pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25#issuecomment-824628638


   > @joschi36 Tested and works. Also distorless comes with ca certs so they can be removed from the dockerfile
   
   @davidjumani I have just removed the ca-certificates part from the Dockerfile, If you agree it's good to merge now.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] rhtyd commented on pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

rhtyd commented on pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25#issuecomment-824622039


   @davidjumani @joschi36 is this good to merge now?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] davidjumani commented on pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

davidjumani commented on pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25#issuecomment-823148788


   @joschi36 Can try distroless instead which works fine and makes life easier https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md
   
   ```
   FROM golang:1.13 as builder
   COPY . /go/src/github.com/apache/cloudstack-kubernetes-provider
   WORKDIR /go/src/github.com/apache/cloudstack-kubernetes-provider
   RUN make clean && CGO_ENABLED=0 GOOS=linux make
   
   FROM gcr.io/distroless/static
   USER nonroot:nonroot
   COPY --from=builder /go/src/github.com/apache/cloudstack-kubernetes-provider/cloudstack-ccm /app/cloudstack-ccm
   ENTRYPOINT [ "/app/cloudstack-ccm", "--cloud-provider", "external-cloudstack" ]
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] rhtyd commented on pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

rhtyd commented on pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25#issuecomment-822966237


   @onitake @davidjumani are you lgtm on it?
   @joschi36 do you have any test results? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] rhtyd merged pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

rhtyd merged pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] joschi36 commented on pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

joschi36 commented on pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25#issuecomment-823037631


   > I'd prefer to use a scratch image if possible. That's the most secure imo
   
   @davidjumani We used alpine as we need ca-certificates. But I can have a look at this: https://chemidy.medium.com/create-the-smallest-and-secured-golang-docker-image-based-on-scratch-4752223b7324#ae0c


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] joschi36 commented on pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

joschi36 commented on pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25#issuecomment-823066822


   Hi @davidjumani I just created the container from scratch, but when starting it fails at creating a self-signed cert. Maybe you have an idea?
   
   ```
   I0420 07:54:23.313921       1 serving.go:319] Generated self-signed cert in-memory
   open /tmp/client-ca-file159816038: no such file or directory
   ```
   
   **Dockerfile:**
   ```dockerfile
   FROM golang:1.13 as builder
   COPY . /go/src/github.com/apache/cloudstack-kubernetes-provider
   WORKDIR /go/src/github.com/apache/cloudstack-kubernetes-provider
   RUN apt-get update && apt-get install -y locales ca-certificates
   RUN make clean && CGO_ENABLED=0 GOOS=linux make
   
   FROM scratch
   COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
   USER 1000
   COPY --from=builder /go/src/github.com/apache/cloudstack-kubernetes-provider/cloudstack-ccm /app/cloudstack-ccm
   ENTRYPOINT [ "/app/cloudstack-ccm", "--cloud-provider", "external-cloudstack" ]
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] davidjumani commented on pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

davidjumani commented on pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25#issuecomment-822971361


   I'd prefer to use a scratch image if possible. That's the most secure imo


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] joschi36 commented on pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

joschi36 commented on pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25#issuecomment-823264027


   @davidjumani You are totally right. Forgot distroless :sweat_smile: 
   
   I have updated the Dockerfile with `distroless/static:nonroot` and tested it in our setup.
   Can you maybe shortly test if it works for you aswell.
   
   I have pushed a development version here: `docker.io/swisstxt/cloudstack-kubernetes-provider:non-root-container-dirty-879418d1`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] davidjumani commented on pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

davidjumani commented on pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25#issuecomment-823039778


   @joschi36 Sounds good. That's the way we create scratch images with certs in our deployments. Let me know if I can help with anything


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack-kubernetes-provider] davidjumani commented on pull request #25: use non-root container

Posted by GitBox <gi...@apache.org>.

davidjumani commented on pull request #25:
URL: https://github.com/apache/cloudstack-kubernetes-provider/pull/25#issuecomment-824608536


   @joschi36 Tested and works. Also distorless comes with ca certs so they can be removed from the dockerfile


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org