Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use UID and GID for USER in Dockerfile #1922

Merged
merged 7 commits into from
Jul 28, 2023
Merged

Conversation

flickerfly
Copy link
Contributor

@flickerfly flickerfly commented Jul 25, 2023

Description

On clusters that strictly enforce no root containers via an Admission Controller, they can't determine that a named user isn't 0 in the container. This changes the container to identify the USER by UID and GID so the admission controller can allow this through.

Chainguard documents the UID and GID of nonroot https://edu.chainguard.dev/chainguard/chainguard-images/reference/static/overview/#users

Related Issue

Fixes #1921

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

Solves issue #1921. 

On clusters that strictly enforce no root containers via an Admission Controller, they can't determine that a named user isn't 0 in the container. This changes the container to identify the USER by UID and GID so the admission controller can allow this through.

Chainguard documents the UID and GID of nonroot https://edu.chainguard.dev/chainguard/chainguard-images/reference/static/overview/#users
@netlify
Copy link

netlify bot commented Jul 25, 2023

Deploy Preview for zarf-docs canceled.

Name Link
🔨 Latest commit b2b259e
🔍 Latest deploy log https://app.netlify.com/sites/zarf-docs/deploys/64c3e342164b11000856d44e

Dockerfile Outdated Show resolved Hide resolved
Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
Racer159
Racer159 previously approved these changes Jul 27, 2023
Copy link
Contributor

@Racer159 Racer159 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

YrrepNoj
YrrepNoj previously approved these changes Jul 27, 2023
@Racer159 Racer159 dismissed stale reviews from YrrepNoj and themself via c04ac0a July 27, 2023 21:02
Copy link
Contributor

@Racer159 Racer159 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm (approving after main merge)

@Racer159 Racer159 enabled auto-merge (squash) July 28, 2023 15:56
@Racer159 Racer159 merged commit 4ad4861 into zarf-dev:main Jul 28, 2023
@flickerfly
Copy link
Contributor Author

Thank you! If I understand right, looks like you folks as the vendor are also owners on the Repo1 equivalent so I'll make the connection.

https://repo1.dso.mil/dsop/opensource/defenseunicorns/zarf/zarf-agent/-/issues/39

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Zarf can't init when nonroot user is strictly enforced
3 participants