readonlyfilesystem and running as not-root (from helm example) makes pod fail
KlavsKlavsen opened this issue · comments
I enabled the security settings given in values.yaml: https://github.com/yetibot/yetibot-helm/blob/master/charts/yetibot/values.yaml#L31
But docker image is not built to actually work with that :(
mktemp: failed to create file via template ‘/tmp/lein-trampoline-XXXXXXXXXXXXX’: Read-only file system
java.lang.Exception: Couldn't create directories: /.lein
at leiningen.core.utils$mkdirs.invokeStatic (utils.clj:71)
leiningen.core.utils$mkdirs.invoke (utils.clj:67)
leiningen.core.user$leiningen_home.invokeStatic (user.clj:28)
leiningen.core.user$leiningen_home.invoke (user.clj:22)
leiningen.core.user$fn__8140.invokeStatic (user.clj:34)
leiningen.core.user/fn (user.clj:33)
clojure.lang.AFn.applyToHelper (AFn.java:152)
clojure.lang.AFn.applyTo (AFn.java:144)
clojure.core$apply.invokeStatic (core.clj:665)
clojure.core$memoize$fn__6877.doInvoke (core.clj:6353)
clojure.lang.RestFn.invoke (RestFn.java:397)
leiningen.core.main$_main$fn__7420.invoke (main.clj:445)
leiningen.core.main$_main.invokeStatic (main.clj:442)
leiningen.core.main$_main.doInvoke (main.clj:439)
clojure.lang.RestFn.applyTo (RestFn.java:137)
clojure.lang.Var.applyTo (Var.java:705)
clojure.core$apply.invokeStatic (core.clj:665)
clojure.main$main_opt.invokeStatic (main.clj:514)
clojure.main$main_opt.invoke (main.clj:510)
clojure.main$main.invokeStatic (main.clj:664)
clojure.main$main.doInvoke (main.clj:616)
clojure.lang.RestFn.applyTo (RestFn.java:137)
clojure.lang.Var.applyTo (Var.java:705)
clojure.main.main (main.java:40)
stream closed
and I remove that and just have the rest(don't run as root) - it complains instead that it can't crate /.lein
(which it obviously can't as / is owned by root and only writable by root).
Thanks for reporting @KlavsKlavsen. These suggested settings were generated by the helm chart, but they aren't actually supported (I've never tested them). Yetibot requires write access for logging, at the very least. That can be disabled though.
Do you think it's an important feature? We could see if it works with logging disabled.
@devth It is a HUGE security feature to make the process run as none-root.. in OpenShift you aren't even allowed do run a docker instance that doesn't work running as not-root - and with good reason. Many docker/pod escapes only works if the process inside runs as root.. So if this can be disabled, it greatly increases k8s security level for the pod (minimizing chance of escape greatly).
Here's one example: https://medium.com/@DahlitzF/run-python-applications-as-non-root-user-in-docker-containers-by-example-cba46a0ff384 (for python process - its even simpler for a GO application :)
and as to readonlyfilesystem - the norm is to log to stdout/stderr - removing the need for logging to the filesystem - to avoid the need for write access (and hence an attack on code inside pod/container can't actually write anything to the container.. which is often a huge part of subverting/attacking a service.
The rolling log appender can be disabled. Looks like this config option wasn't documented, but I added it in yetibot/core@254da5c.
Agree on the standard to log to stdout/stderr in container environments. I just disabled it by default in the Helm chart: yetibot/yetibot-helm@988fd7d...a115098
Thanks for brining up running as non root. Agree we should support this.