Uploaded image for project: 'JS - JobScheduler'
  1. JS - JobScheduler
  2. JS-2044

Docker images consider more strict security context

    XMLWordPrintable

Details

    Description

      Current Situation

      • Docker images of the JS7 Controller, Agent and JOC Cockpit require containers to be started
        • from the root account,
        • from a user account with user id and group id 1001 that matches the user id and group id used at build time.
      • Docker containers effectively run with the jobscheduler account and group (id 1001). However, the entrypoint.sh script expects to be started either from a matching user id/group id or from the root account that allows to switch to the jobscheduler account on start-up of the container.
      • This mechanism is intended to allow users to access files from volume mounts (config, logs) without the need to have root access to files in volume mounts at run-time.
      • At the same time this mechanism interferes with more strict security contexts as for example imposed by OpenShift®.
        • For OpenShift® policies see Adapting Docker and Kubernetes containers to run on Red Hat OpenShift Container Platform
        • This does not apply to use of Kubernetes® or other container management systems in general, but to use of specific security contexts.
        • OpenShift® security policies for container start-up are questionable. However, an engineering solution should cover both standard start-up of containers and more strict (not necessarily more secure) start-up of containers as imposed by OpenShift®.

      Desired Behavior

      • Files and directories used by JS7 components in an image are owned to the root group id (0) and are assigned the same group permissions as the original user permissions.
      • JS7 images should not expect the entrypoint.sh script to be started from the root account.
        • If started from the root account then the known behavior occurs that owns folders on mounted volumes to the run-time account of the container.
        • If started from a non-root account assigned the root group then no commands are executed that require root permission such as chown, su etc.
      • More detailed explanations are available from the JS7 - Build Docker Images articles.

      Attachments

        Issue Links

          links to

          Web Link Adapting Docker and Kubernetes containers to run on Red Hat OpenShift Container Platform

          mentioned in

          Page Loading...

          Wiki Page

          Wiki Page Loading...

          Activity

            People

              ap Andreas Püschel
              ap Andreas Püschel
              Kanika Agrawal Kanika Agrawal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: