-
-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
st2web fails in rootless environment #185
Comments
Thanks for the report, that's helpful 👍 Are there any security enhancements you could identify and propose for that specific Dockerfile? |
@armab Thanks for your quick response! :)
|
I'm currently working and trying both options. But what I don't get is why you don't have the Dockerfile in the st2web directory. I think it would make container creation more robust, secure and minimized. Maybe you @armab can clarify this to me? |
Thanks, @joschi36, that would be indeed very helpful 👍 I'd prefer the 2nd approach trying to modify the existing Dockerfile running nginx as a USER, if it doesn't get really complicated. Talking about the Dockerfiles, at this moment we keep them all in one place with the unified build, deploy and release pipeline https://github.com/StackStorm/st2-dockerfiles/ instead of scattering them across the different repositories. Both have pros/cons and I guess there were also historical reasons why it worked that way. |
RE: Bitnami Approach @armab @joschi36 while in most cases I would agree with you for this approach this one I cannot agree with you. This is throwing yet another dependency that Bitnami does not build with multiple architectures. Currently |
what is the option that we can use here? My st2web is failing because of non-root , I'm trying to deploy OpenShift and OpenShift by default doesn't give root access to the containers |
There is a pull request (or was) to make st2web rootless. It's only about the ports for nginx. Above 1024 you don't need root access. I will search for the pr. |
so i should build my own Dockerfile? and then is there any change that has to be done on Helm chart after this? |
We were building our own container images and updated the helm chart. But I don't know how to manipulate the helm chart to use only the web container from a private registry. |
why can't we modify directly on the Deployment after installing the helm chart? |
Never tried it |
there is error when trying to run st2web /bin/bash: /etc/nginx/conf.d/st2.conf: Permission denied getting this error on st2web there is no file as such when i see the path |
sh: 1: cannot create /root/.st2/config: Permission denied , getting this error when i try to run Jobs/st2actionrunner for st2client , tried to modify the Dockerfile chmod 777 /root/.st2/config but it says file not found exception during docker build |
My PR referenced above (StackStorm/st2-dockerfiles#66) also changes permissions on some files to allow them to be read/written by a non-root user (I did hard code it to the I've also got a PR for the helm chart here (#400) which makes the required changes to run |
can i take this branch and install directly, will that work without all these issues? i'm facing these permission issues on every step. |
You'll want to build my branch of the docker images locally push them to your internal registry. (the And then you should also be able to Also in the
That's hopefully everything you need to get going - Although I will note I don't believe anyone has used either of my branches outside the environment I've deployment them too - so there's a chance you'll hit an issue with an assumption I have made - if so please let me know. |
i guess only the st2web image has been changed , apart from that everything else remains the same? |
Yes the other st2 images don't require any changes to run rootless |
When i try to login to st2 client it says permission denied because st2 folder has root level permission, can you please check once? |
ERROR: Failed to log in as st2admin: [Errno 13] Permission denied: '/.st2', this is the error which i'm getting |
To increase security in companies clusters its common practice to run root-less containers. This can be enforced in Kubernetes with PodSecurityPolicies. For instance Openshift clusters have this restrictive policies on by default.
The st2web container however is currently using the library/nginx image which doesn't support to be run as non-root. However, the bitnami/nginx image is doing exactly this to improve security.
I would suggest adopting to bitnami images, as they are often better suited to Kubernetes and since you are already using the bitnami ecosystem.
References:
I've first tried to create a Pull Request over at the st2web repo but had some issues creating the image locally. Also, this is my first try with installing stackstorm in general and also with contributing, so I thought maybe I should create an issue first.
Replacing the images thought shouldn't be very hard as only few directories need to be changed.
from: bitnami/nginx README.md
The text was updated successfully, but these errors were encountered: