Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dockerfile incompatible with OpenShift dynamic UID allocation and security constraints #983

Open
1 task done
edsoncsouza opened this issue Oct 29, 2024 · 0 comments
Open
1 task done

Comments

@edsoncsouza
Copy link
Contributor

edsoncsouza commented Oct 29, 2024

What is currently missing?

The current Dockerfile does not adhere to the updated best practices outlined in the Support arbitrary user ids, specifically regarding dynamic User ID (UID) allocation. OpenShift assigns arbitrary UIDs to containers to enhance security, and the current Dockerfile lacks the necessary configurations to handle these dynamic UIDs properly. Without these adjustments, the container may fail to run as intended in an OpenShift environment.

How could this be improved?

To align the Dockerfile with the updated OpenShift best practices for dynamic UID handling, the following improvements are proposed:

Dynamic UID Handling: Modify file and directory permissions to ensure compatibility with OpenShift's dynamic UID allocation. Specifically, use commands like RUN chgrp -R 0 /opt/karapace && chmod -R g+rwX to ensure that the container user, which is always part of the root group, has appropriate read and write permissions. Additionally, add the user 'karapace' to group '0' to provide the necessary permissions for accessing and modifying directories such as /opt/karapace and others as needed. This allows the container to run without requiring root privileges while ensuring that necessary files and directories are accessible.

These changes will ensure that the Dockerfile is compatible with OpenShift's dynamic security model, allowing containers to run seamlessly without requiring elevated permissions or predefined UIDs.

Is this a feature you would work on yourself?

  • I plan to open a pull request for this feature

I already have the implementation ready for review and would greatly appreciate any feedback or suggestions. My goal is to ensure that this change aligns well with project standards and OpenShift best practices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant