Welcome to the Linux Foundation Forum!

Exercise 6.6: Domain Review - LoadBalancer and Security Context

Hello,

Is there some sort of Answer reference that I can refer to? I am stuck on Exercise 6.6: Domain Review:

  1. I do not understand how to test that the LoadBalancer Service works. I can create the LoadBalancer, but this is a new concept that has not been discussed yet. I've read online that it only works on GCE, and that's all I found. Using curl to test the IP hangs.

  2. I have not figured out how to fix security-review1.yaml so that the securityContext stays in place (both?) and it works. I have looked up the ngnix user id and tried using that, tried changing the context so that it is the same fsGroup as root, etc, but I don't know what I'm doing here, online docs, make it seem that I have to run a script beforehand as root in order to make run the nginx start command as that user, etc. It is not clear here: I would appreciate some sort of answer key or help.

Comments

  • I meant to type GKE, not GCE

  • chrispokornichrispokorni Posts: 509

    Hi @lyndsey.d.ferguson ,

    When working on GCE (not GKE) you may still be able to test the LB type Service, if you create an LB in your VPC and assign the LB IP to the appropriate attribute of the Service. Then test your Kubernetes LB type Service with the public IP of the external LB.

    Regards,
    -Chris

  • Thank you for your response @chrispokorni ; to confirm what I understand, you're saying that I need to create a LoadBalancer in the GCE account, and update it to have the IP address that the k8s LoadBalancer has?

  • chrispokornichrispokorni Posts: 509

    Create an LB on GCE. Upon creation, it will be assigned a public IP address.
    Create an LB type Service in Kubernetes, which will be assigned an internal private virtual Cluster IP.
    Then edit the Service to add the external public LB IP in the Service's configuration.

    Some examples from the documentation:
    https://kubernetes.io/docs/concepts/services-networking/#loadbalancer
    https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/

    Regards,
    -Chris

  • Thank you Chris, your help on the Load Balancer has been most helpful! I also continued on the course and see that Load Balancers are explained in the next section, which leads me to believe the question was meant to be part of section 7.

    Would you have any guidance on my struggles with security-review1.yaml (see above) ?

  • chrispokornichrispokorni Posts: 509

    The best resource is Lab exercise 6.1 and while reviewing it understand the effect of each security context, at pod level and container level respectively. For this situation understand the effect of the conflicting security contexts, which one gets to override the other? Is the overriding user allowing the container to run? Why or why not? :wink:

    Regards,
    -Chris

  • Thanks for the suggestion Chris. I knew that the container's securityContext needed to be changed. However, after that I still needed to configure how the nginx user ran. I will leave this note as a map to future readers so that they too can get the nginx container to run as non-root.

  • Hi @lyndsey.d.ferguson , did you manage to resolve this? I am still puzzled by this. I understand I have to change the container to run as user 101, but maybe that is wrong. Can someone assist a little bit on this?

  • I can help, but I don't want to give you the answer as the lesson won't stick in your mind. A couple of things:

    1. I tried very hard to try and change the running user to match the permissions of the files I thought I needed: false move.
    2. Observe the logs of the pod as it is starting up: what do you see? What is failing? Is there a way that you can change things around so that it won't fail? Think back to other lessons (perhaps even prior sections....)

    Try that for a couple of hours (in total, this took me 6 to figure out, and when I did, it took 2 minutes to ultimately fix).

    Let me know after you've really really really tried.

  • Thanks fro getting back so quickly. That's fine, I would like to finish the challenge, but I feel like am wondering off. All other lab task were fairly simple and limited to the specific lesson.

    I will let the user go for now, though it seems strange. I get that it fails because it can't create a directory. I used a volume so the directory is created before hand. Now I'm running into bind() to 0.0.0.0:80 failed. I've tried adding capabilities to the container but it didn't work.

    I am thinking on tweaking nginx to listen on another port. Maybe I can customize the command line somehow. But it seems way off-topic to go and do that. @chrispokorni suggestion made it sound like it was something very related to the user.

    I'll leave it for now but a if you can spare a tip it it will be appreaciated.

  • You’re following the same path that i did. Look up how to solve the bind port.

    This was the hardest question of the entire course. 10x more. It is only slightly related to the user ID. That is only the start.

  • I got to set a custom config for the nginx and bind to 8080. But now I get nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied). I think this got way out of scope, it can't be this way. Did you also face this?

    I'm starting to think this is something much simple like setting nginx to run as user 0, but that would be way too simple.

  • lyndsey.d.fergusonlyndsey.d.ferguson Posts: 15
    edited April 27

    You’re almost there! It is something somewhat simple, but I had to struggle as you are....take a look at what controls how nginx is launched. How can you change that?

  • lyndsey.d.fergusonlyndsey.d.ferguson Posts: 15
    edited April 27

    Wait, you just wrote that you are using a custom config. That’s what I did. You just have to update the config to specify a path for that pid file that it can write to (tmp).

  • Thanks, I was also reading about it here: https://medium.com/@kaur.harsimran301/run-nginx-as-unprivileged-user-in-docker-container-on-kubernetes-6e71564cf78b
    I didn't want to look for a full blown example but gave up. I was exactly were you say, I was missing to change the PID. I guess I didn't realize it was something to change and was thinking of it as something that you must access there.

    Even though it's running, I don't feel much satisfied with this solution. I mean, it's running as non-root but those security contexts could be anything. This was mostly about configuring an Nginx. At this point I would like to see the official answer, not sure where to request that. I mean, was really this what the instructor was expecting us to do?

    I can see I learned quite a bunch on configuring Nginx but little on securityContexts.

  • Agreed. We also learned about using volume mounts to replace a file.

  • I am surprised there is not a way to get official answers. I would have also liked a test with checks on my answers.

  • susersuser Posts: 49
    edited April 28

    I am stuck here too. Regarding the securityreview pod, I think we should match the user id on container securitycontext with the user id running nginx on container. Or not?

  • That's part of it

  • Pablo.CaminoPablo.Camino Posts: 7

    Hi @suser . The only option I found to use a security context that allows this to run is simply:

        apiVersion: v1
        kind: Pod
        metadata:
          name: securityreview-root
        spec:
          securityContext:
            runAsUser: 2100
          containers:
          - name:  webguy
            image: nginx
            securityContext:
              runAsUser: 000
              allowPrivilegeEscalation: false
    

    This works but seems to defeat the purpose of having a security context as you are just running as root which is the default.
    The solution that @lyndsey.d.ferguson provided, or hinted through, gets this running as non-root and is a great learning but the securityContext could be any non-root user.

    There is a line on the lab that I couldn't figure out what it points to:

    After finding the errors, log into the container and find the proper id of the nginx user.

    First you need the container running to log into it.
    Then I couldn't find any proper user id. 101, which is specified in the nginx.conf, doesn't solve anything.

  • tknoopstknoops Posts: 7

    Would appreciate if someone can post the actual solution to this question.

Sign In or Register to comment.