LAB 6.6- Getting security context to work - Not sure if my solution is correct

For Num 8 and 9, I found the userid of the nginx container to be 101. I tried changing the securitycontext in the security-review.yaml file to that of the uid, the container was still failing. I tried adding capabailities like NET_ADMIN from lab 6.1 with the uid of the container and with the security context already there but in both instances, the container was still failing. I did not know how to go forward with making the container run with the security context in place.
In the labs(lab 6.4) I just noticed that we never got the nginx container named webserver to run with a security context. We just commented out the pod security context and left a security context on the busybox container. I kept trying to figure out why the busybox ran with both pod and container security context defined even in lab 6.1. Was 3000 the original user id of the container? If not how was it able to run with a different uid specified in the security context? That's when I noticed the sleep command on the busybox container. I put a sleep command on the nginx container for lab 6.6 and its running with the original container security context of 2100 and pod context of 3000 in place. I am guessing it will go into an error of crashloopbackoff once the sleep command runs out.
Is that the solution? If not I have no other clue as to how to get this container to run because the labs in chapter 6 does not tell me how and if it is the solution, I dont understand. What was the point? What was this exercise trying to get me to understand/know? If a sleep command was the solution, why does a sleep command need to be in place for a securitycontext to work?
Comments
-
Hello,
The UID change should have worked. Of course with very dynamic projects like Kubernetes and other open source projects many things could have changed such as Kubelet, Docker, Nginx or something else. Instead of a canned, demo environment, we use freshly downloaded software, which sometimes can cause issues with things not working as planned. Seeing and working with these issues is a priceless task for continued work with Kubernetes and trying to develop code that works and troubleshoot it when it does not.
As far as what the take-away should be is investigate what is causing an issue using get, describe and logs arguments. Also to work with securityContexts. From the troubleshooting you explained I think you have gained those skills.
I will look into reproducing the issue, and let you know what I find.
0 -
My security-pod is in a CrashLoopBackOff. So I disabled all lines related to security. After lot of googling.. I found that I could get the ID of nginx by entering
[email protected]:/# id nginx
uid=101(nginx) gid=101(nginx) groups=101(nginx)the pod won't start because is trying to write a root file ?
How can we get the securityContext working for that example ?
apiVersion: v1 kind: Pod metadata: name: securityreview spec: securityContext: runAsUser: 101 runAsGroup: 101 fsGroup: 101 containers: - name: webguy image: nginx # command: # - sleep # - "5000" # securityContext: # runAsUser: 3000 # allowPrivilegeEscalation: true
0 -
it could be related to this issue on github
https://github.com/nginxinc/docker-nginx-unprivileged/issues/37
0 -
I had the same issue couldn't get it running when the pod was running under user with id 101.
My logs had follow error:
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
/docker-entrypoint.sh: Configuration complete; ready for start upCould be related to follow https://github.com/kubernetes/kubernetes/issues/56374
apparently there is a special nginx image for unprivileged nginx when using this image i can run nginx under a non root account mean user with 101
0 -
if I add follow command to the docker file then it is possible to run the nginx under user 101.
# ensure nginx user can write to /var/cache/nginx RUN chown 101:101 -R /var/cache/nginx/ && chmod +wr /var/cache/nginx #ensure nginx user can write to nginx.pid file RUN chown 101:101 -R /var/run/ && chmod +wr /var/run/ #ensure we can use the setcap command RUN apt-get update && apt-get install libcap2-bin -y #ensure we can run setcap for access to port 80 RUN setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/nginx
the write access could be solved by a emptydir volume and mount path
0 -
-
I have still the same issue... I was able to find out the UID of the ngingx user but it was not working with 101.... @serewicz could you please "solve" or change that training step for further students as this is really frustrating....
1 -
I can acknowledge the binding problem with the original Nginx image after using the correct user id. Tried some two hours now, even adding NET_BIND_SERVICE capability doesn't solve this. Updating the 6.6 Domain Review with a less time consuming task would be very appreciated...
I used the unprivileged image now, too, to get this sh** working.
1 -
Check out this answer on stack overflow
0
Categories
- 9.7K All Categories
- 22 LFX Mentorship
- 75 LFX Mentorship: Linux Kernel
- 439 Linux Foundation Boot Camps
- 259 Cloud Engineer Boot Camp
- 88 Advanced Cloud Engineer Boot Camp
- 40 DevOps Engineer Boot Camp
- 19 Cloud Native Developer Boot Camp
- Express Training Courses
- Express Courses - Discussion Forum
- 1.5K Training Courses
- 17 LFC110 Class Forum
- 3 LFC131 Class Forum
- 18 LFD102 Class Forum
- 113 LFD103 Class Forum
- 8 LFD121 Class Forum
- 59 LFD201 Class Forum
- 1 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum
- 23 LFD254 Class Forum
- 527 LFD259 Class Forum
- 99 LFD272 Class Forum
- 1 LFD272-JP クラス フォーラム
- 1 LFS145 Class Forum
- 18 LFS200 Class Forum
- 736 LFS201 Class Forum
- 1 LFS201-JP クラス フォーラム
- LFS203 Class Forum
- 23 LFS207 Class Forum
- 292 LFS211 Class Forum
- 53 LFS216 Class Forum
- 41 LFS241 Class Forum
- 33 LFS242 Class Forum
- 31 LFS243 Class Forum
- 9 LFS244 Class Forum
- 27 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- 123 LFS253 Class Forum
- 921 LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 78 LFS260 Class Forum
- 122 LFS261 Class Forum
- 27 LFS262 Class Forum
- 77 LFS263 Class Forum
- 15 LFS264 Class Forum
- 10 LFS266 Class Forum
- 13 LFS267 Class Forum
- 16 LFS268 Class Forum
- 13 LFS269 Class Forum
- 190 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- 201 LFW211 Class Forum
- 147 LFW212 Class Forum
- 888 Hardware
- 211 Drivers
- 74 I/O Devices
- 44 Monitors
- 115 Multimedia
- 206 Networking
- 98 Printers & Scanners
- 85 Storage
- 744 Linux Distributions
- 88 Debian
- 64 Fedora
- 12 Linux Mint
- 13 Mageia
- 24 openSUSE
- 132 Red Hat Enterprise
- 33 Slackware
- 13 SUSE Enterprise
- 353 Ubuntu
- 465 Linux System Administration
- 37 Cloud Computing
- 65 Command Line/Scripting
- Github systems admin projects
- 94 Linux Security
- 77 Network Management
- 107 System Management
- 47 Web Management
- 59 Mobile Computing
- 21 Android
- 24 Development
- 1.2K New to Linux
- 1.1K Getting Started with Linux
- 523 Off Topic
- 126 Introductions
- 210 Small Talk
- 19 Study Material
- 780 Programming and Development
- 254 Kernel Development
- 492 Software Development
- 918 Software
- 255 Applications
- 181 Command Line
- 2 Compiling/Installing
- 75 Games
- 316 Installation
- 45 All In Program
- 45 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)