Use debian-base as base image #154
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
cncf-cla: yes
thockin
added
do-not-merge/hold
All of the main Kubernetes components are switching to it, since we can maintain it more easily.
|
Still playing with this. |
thockin
force-pushed
the
baseimage-debian
branch
from
78a28ca to
653bd85
Compare
k8s-ci-robot
added
the
size/M
|
It would ease the usage of libnss_wrapper that are not available on alpine: securityContext:
runAsUser: 65533 # git-sync user
securityContext:
fsGroup: 65533 # to make SSH key readable |
|
Are you saying those are not needed or that we need more work to get rid of
those, but now it would be possib? I don't know the details..
…On Fri, Mar 15, 2019 at 6:18 AM Julien Acroute ***@***.***> wrote:
It would ease the usage of libnss_wrapper that are not available on alpine:
https://bugs.alpinelinux.org/issues/6710
With libnss_wrapper we could get rid of :
securityContext:
runAsUser: 65533 # git-sync user
securityContext:
fsGroup: 65533 # to make SSH key readable
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#154 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVAUFe5r820OGfyKukoyIGndScx7aks5vW52WgaJpZM4bpz_O>
.
|
I think we need more work to get rid of this: We need entry in #!/bin/sh
echo "git-sync:x:$(id -u):$(id -g):git-sync:/tmp:/bin/sh" > /tmp/passwd
echo "git-sync:x:$(id -g):" > /tmp/group
exec /git-sync $*and use libnss_wrapper to use this new files before launching git-sync with 3 env vars : env:
- name: LD_PRELOAD
value: /usr/local/lib64/libnss_wrapper.so
- name: NSS_WRAPPER_PASSWD
value: /tmp/passwd
- name: NSS_WRAPPER_GROUP
value: /tmp/groupAdding libnss_wrapper.so is done with : apk add --no-cache --virtual .nss_wrapper-build-deps git build-base cmake cmocka-dev
git clone git://git.samba.org/nss_wrapper.git
cd nss_wrapper
mkdir build
cd build/
mkdir -p /usr/local/include/
echo -e "#ifndef NSS__H\n#define NSS__H\n\nenum nss_status\n{\n\tNSS_STATUS_TRYAGAIN = -2,\n\tNSS_STATUS_UNAVAIL = -1,\n\tNSS_STATUS_NOTFOUND = 0,\n\tNSS_STATUS_SUCCESS = 1,\n\tNSS_STATUS_RETURN = 2\n};\n\n#endif" > /usr/local/include/nss.h
cmake .. -DUNIT_TESTING:BOOL=ON
make
make CTEST_OUTPUT_ON_FAILURE=TRUE test
make installThis way I can run git-sync on openshift platform without any specific serviceAccount. So switching to debian may help because debian already includes libnss_wrapper |
|
If you have time to prototype this, it would be great - I don't have
openshift, so I can't test it directly.
…On Fri, Mar 15, 2019 at 8:33 AM Julien Acroute ***@***.***> wrote:
Are you saying those are not needed or that we need more work to get rid
of those, but now it would be possib? I don't know the details..
I think we need more work to get rid of this:
I'm currently working on an openshift plateform where pods are runs with
arbitrary user. So I have random UID like : 1000320000. Policies / guide
lines prevent me to create serviceAccount anyuid/runasroot... So I'm
looking for a way to run git-sync as arbitrary user.
We need entry in /etc/passwd to be able to use ssh commands. One way to
do this at runtime is to use lilbnss_wrapper
<https://cwrap.org/nss_wrapper.html>. We can dynamically populate passwd
and group file with this kind of shell script :
#!/bin/sh
echo "git-sync:x:$(id -u):$(id -g):git-sync:/tmp:/bin/sh" > /tmp/passwd echo "git-sync:x:$(id -g):" > /tmp/group
exec /git-sync $*
and use libnss_wrapper to use this new files before launching git-sync
with 3 env vars :
env:
- name: LD_PRELOAD
value: /usr/local/lib64/libnss_wrapper.so
- name: NSS_WRAPPER_PASSWD
value: /tmp/passwd
- name: NSS_WRAPPER_GROUP
value: /tmp/group
Adding libnss_wrapper.so is done with :
apk add --no-cache --virtual .nss_wrapper-build-deps git build-base cmake cmocka-dev
git clone git://git.samba.org/nss_wrapper.gitcd nss_wrapper
mkdir buildcd build/
mkdir -p /usr/local/include/echo -e "#ifndef NSS__H\n#define NSS__H\n\nenum nss_status\n{\n\tNSS_STATUS_TRYAGAIN = -2,\n\tNSS_STATUS_UNAVAIL = -1,\n\tNSS_STATUS_NOTFOUND = 0,\n\tNSS_STATUS_SUCCESS = 1,\n\tNSS_STATUS_RETURN = 2\n};\n\n#endif" > /usr/local/include/nss.h
cmake .. -DUNIT_TESTING:BOOL=ON
make
make CTEST_OUTPUT_ON_FAILURE=TRUE test
make install
This way I can run git-sync on openshift platform without any specific
serviceAccount.
So switching to debian may help because debian already includes
libnss_wrapper <https://packages.debian.org/stretch/libnss-wrapper>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#154 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVPqEe3LPd1FlX3XqjUPYk_hxAOZ9ks5vW71UgaJpZM4bpz_O>
.
|
Done with #155 |
|
#155 shows how to keep Alpine and use libnss (though nothing calls that
script?) If we switch to debian we no longer need any of that?
…On Mon, Mar 18, 2019 at 6:33 AM Julien Acroute ***@***.***> wrote:
If you have time to prototype this, it would be great - I don't have
openshift, so I can't test it directly.
Done with #155 <#155>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#154 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVICGSc58N8qiDrRedsLCeYp46gbPks5vX5WLgaJpZM4bpz_O>
.
|
In order to use libnss_wrapper you need to set at least 3 env vars:
We don't need to build libnss_wrapper but we still need to use it to fit openshift security requirement |
|
OK, so this adds fuel to the usage of debian-base. If you have time,
you could build a PR on top of mine that does the libnss
implementation and then it would be queued up if we merge this one :)
And it would illustrate how much simpler it is.
…On Mon, Mar 18, 2019 at 11:54 PM Julien Acroute ***@***.***> wrote:
though nothing calls that script?
In order to use libnss_wrapper you need to set at least 3 env vars:
LD_PRELOAD: path to the libnss_wrapper.so file
NSS_WRAPPER_PASSWD: path to the fake passwd file (like /etc/passwd)
NSS_WRAPPER_GROUP: path to the fake group file
but I can define those variables at build time in Dockerfile
If we switch to debian we no longer need any of that?
We don't need to build libnss_wrapper but we still need to use it to fit openshift security requirement
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
thockin
removed
the
do-not-merge/hold
|
I am removing the hold. I think we should do this. |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stp-ip The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All of the main Kubernetes components are switching to it, since we can
maintain it more easily.