Practicing skills point 33 review6.yaml
What is the idea behind finding the correct nginx uid and fixing the pod? If I changed the security context to 101(nginx uid) it still fails.
Comments
-
I think that it is about setting the uid to root so it can boot. I did set both user and group to 0 (root) and then the pod would run successfully.
0 -
Hello,
Indeed, sometimes changing the UID may be an answer, but then the application running inside the container would fail. As a result you may have to change the security context. Security context may be set via an admission controller, not the developer of the application, which may then conflict with the way the container was configured. As a result one or the other would need to be modified if the goal is to have the pod running.
Regards,
0 -
I'm still a bit confused about the answer given above, do they really mean just changing runAsUser to root id=0), that easy.
Question 33 and 34:
33. After finding the errors, log into the container and find the proper id of the nginx use.
34. Edit the pod such that the securityContext is in place and allows the web server to read the proper configuration files.Why do they say "find the proper id of the nginx use"? Once I get container running by using root, I see that id of nginx is 101
Using runAsUser 101 to start pod/container fails with:
2021/01/16 23:41:41 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2021/01/16 23:41:41 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)I just want to be sure I understand correctly.
I hope somebody can clarify this for me.Regards,
0 -
Could you elaborate this a little more @serewicz ?
As @kareldebeus pointed out: setting runAsUser =0 allows the Pod to start but defeats the purpose of a securityContext which should normally restrict access. I find that confusing. Is there more behind answering question 33 than we currently see? Or is runAsUser=0 the correct answer?0 -
To be honest I struggled with this question as well. The simplest way is just removing the whole securityContext sections but I thought this solution is to simple ...
So I ended up with:
$ cat review6.yaml
apiVersion: v1
kind: Pod
metadata:
name: securityreview
spec:
securityContext:
runAsUser: 2100
containers:
- name: webguy
image: nginx
securityContext:
runAsUser: 0
allowPrivilegeEscalation: falsebut it is basically the same as removing all securityContext. So I guess the task is a little bit misleading. Would be interested to hear other opinions as well!
0 -
Hello,
If you were required to always have a security context, but someone else had set the wrong security context, how would you fix the problem such that the pod runs but you are meeting the security team requirement that there is a security context set for the pod?
Regards,
-2 -
I'm also confused by this question. It states "After finding the errors, log into the container and find the proper id of the nginx user". I am assuming by "login" you mean attach to it? How are we supposed to attach to it if its not running?
If not, then this question is very badly worded. I have no idea what it's asking me to do.1 -
I eventually moved on from this domain review, didn't even bother trying to finish it, the whole thing is so badly worded/explained, no context given on what they want us to achieve. Will go find another resource to learn about Security.
Chatting to other members of my organization doing this course, they also just skipped this calling it "a mess".
0 -
Thanks for your feedback.
You realize the whole point of the domain review is to give less than all information such that you are testing your own knowledge and ability to function as a system administrator would be called upon to do. correct?
You do realize the exam will not tell you what to type, and that you will have to understand more than following along and figure out what needs to be fixed or configured, correct?
-2 -
The issue with that task is that we don't know what the constraints and successful implementation are. [I tend to think about those questions in the context of the exam], so I will use the simplest methods first. That would be simply removing security context. If that's not allowed, it should be explicitly stated (this also changes how we can login into container, if I'm restricted from running anything, even temporarily, as root, I would have to overwrite entrypoint).
Now, assuming that we are restricted by [being unable to remove] security context, what exactly is meant by "re-create the pod such that the pod runs without error"? If it means that it must behave exactly as before [when run as root], I don't believe this is possible at all (again, the restrictions being I cannot run anything as root, so not sidecar trickery for example).
It is simply not possible to bind to port 80 non root.
Adding capabilities (NET_BIND_SERVICE) seems obvious choice, but it does not work with non root, see KEP here about ambient capabilities https://github.com/kubernetes/enhancements/issues/2763
The rest is workable (by remounting and redefining required paths and configs), but the port must be moved to >1024. Of course we can add a service to remap it, but again, if this is acceptable, it should be explicitly stated/reworded (eg. by saying that nginx must respond on port 80 when called from other node/externally)This is a good problem to work out, it's a pity people would skip it because it's pretty unclear what is expected.
0 -
I found a solution to this that I believe sticks to the spirit of the task (namely, running as the nginx user), but also might be a bit strange. I won't spell it out, but definitely spoilers ahead.
Both runAsUser clauses can be 101. The problem is the basic permissions issue the nginx service has, as it tries to create a cache directory (in a dir owned by root), and later to write a .pid file (in a dir owned by root). I solved these by making the containing dirs mounted to emptyDir volumes. Is that odd, or totally what the examiners would be looking for?
1 -
Thanks for the tip I got it worked out in about 2h
That is a tricky one (I found so far) but workable and indeed secure.Doesn't change the fact that the task is not clearly formulated (unfortunately) not the only one.
I found one article on the net which give a very good clues (not going to spoil either, but assure everyone that it can be done).
Generally as you have mentioned it is the way nginx manages the /var/cache/nginx and its .pid file in Docker.
0 -
Am I correct to assume that to configure this properly, you will have to do changes in the application? And changing the "runAsUser" to root is just a workaround to get it running?
0 -
-
@pawelzajac @kingphil got it working, thanks!
I though the nginx config had to be change to use another port than 80, but that wasn't necessary.0 -
I don't like this hide-and-seek game which the Linux-Foundation does here with us. We paied for the course and there are several people who struggle with this excercise. Why not publish the correct answer?
It is compleltly unclear what is allowed to get this working. Am I allowed to remove the security context? Am I allowed to change the container image? There are many ways to force a solution.
4 -
This yaml works:
apiVersion: v1 kind: Pod metadata: name: securityreview spec: # securityContext: # runAsUser: 2100 containers: - name: webguy image: nginx securityContext: #runAsUser: 3000 allowPrivilegeEscalation: false
But I have no clue, if this is a valid answer.
0 -
@guettli I understand your frustration.
Not to spoil to much the task and as you are right this is a training I will post here a tutorial which contains the answers, so is not like I give it on plate.
https://bridgecrew.io/blog/creating-a-secure-kubernetes-nginx-deployment-using-checkov/I think it is generally very good document and worth of sharing.
Good luck.0 -
This is a bit tricky, look at the startup logs, we can found that the user does not have permission to write to /var/cache/nginx/ and /var/run
Not sure if this fix is valid to the exam
apiVersion: v1 kind: Pod metadata: name: securityreview spec: securityContext: runAsUser: 2100 volumes: - name: cache emptyDir: {} - name: run emptyDir: {} containers: - name: webguy image: nginx volumeMounts: - mountPath: /var/cache/nginx/ name: cache - name: run mountPath: /var/run securityContext: runAsUser: 3000 allowPrivilegeEscalation: false
1 -
So, we still don't have clear, unambiguous instructions for this task and nobody from LF is willing to provide them. This is frustrating, disappointing and does not help anyone willing to find the right solution and nobody will ever find out what this exercise is trying to teach us.
@serewicz You do realize that the exam has to provide clear instructions and a desired result in order for me to solve a task, correct? You do realize that providing zero information to what the desired outcome of the task is makes it basically impossible to solve, correct?
Instead, this task is doing the complete opposite and is misleading users into some obscure tasks like finding the nginx uid which won't help solving this exercise at all.
2 -
@tranthepq said:
This is a bit tricky, look at the startup logs, we can found that the user does not have permission to write to /var/cache/nginx/ and /var/runNot sure if this fix is valid to the exam
apiVersion: v1 kind: Pod metadata: name: securityreview spec: securityContext: runAsUser: 2100 volumes: - name: cache emptyDir: {} - name: run emptyDir: {} containers: - name: webguy image: nginx volumeMounts: - mountPath: /var/cache/nginx/ name: cache - name: run mountPath: /var/run securityContext: runAsUser: 3000 allowPrivilegeEscalation: false
Well, this does not work for me as it's not allowed to bind to port 80 as non root or am missing something?
1 -
Check out this answer on stack overflow
0 -
I just went with this for two reasons, least time spent and its CKA not CKS so welp.
However, If I was at work presented with this would be a different story since I have dev and security teams. Also root is the only user on container with /bin/bash access that isn't /bin/false or nologin.
But that's my opinion since you could add a network policy and/or even build your own container.apiVersion: v1 kind: Pod metadata: name: securityreview spec: containers: - name: webguy image: nginx securityContext: runAsUser: 0 allowPrivilegeEscalation: false
0 -
I also struggled with the lack of a clear solution here
0 -
Great course, but I agree. This one is a bit too much of a trick question in my opinion. Just seems to lead to ambiguity. The question "find the proper id of the nginx user" really leads you to believe you are expected to run this as user 100.
Maybe a better example would be to take a different container image that can run as a different user than root? (create a local user for.. use DevDan for example) This would demonstrate that someone can indeed run a container as something other than root which is a common real use case for this out in the wild.
0 -
If like me, you encounter this error
"[emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied)"
after you have solved the directory mounting issue (checkov article was quite helpful), this link might help:https://github.com/kubernetes/ingress-nginx/issues/4061#issuecomment-1118439600
YMMV, as I encountered this error on my VirtualBox Ubuntu cp node, and it took me around 4 hours to find out this solution.
0 -
Hello,
Just had this issue, and indeed, I don't follow the point to use securityContext to run as root at the end.
Posted on bad topic: https://forum.linuxfoundation.org/discussion/comment/41555/#Comment_41555
For me, about checking .33, it say to check the uid of nginx.
Didn't make sense to check that if we use root at the end imo...
0
Categories
- All Categories
- 167 LFX Mentorship
- 167 LFX Mentorship: Linux Kernel
- 802 Linux Foundation IT Professional Programs
- 358 Cloud Engineer IT Professional Program
- 149 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 127 Cloud Native Developer IT Professional Program
- 112 Express Training Courses
- 112 Express Courses - Discussion Forum
- 6.3K Training Courses
- 24 LFC110 Class Forum - Discontinued
- 17 LFC131 Class Forum
- 42 LFD102 Class Forum
- 198 LFD103 Class Forum
- 19 LFD110 Class Forum
- 41 LFD121 Class Forum
- 15 LFD133 Class Forum
- 7 LFD134 Class Forum
- 17 LFD137 Class Forum
- 63 LFD201 Class Forum
- 3 LFD210 Class Forum
- 2 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 1 LFD233 Class Forum
- 2 LFD237 Class Forum
- 23 LFD254 Class Forum
- 649 LFD259 Class Forum
- 109 LFD272 Class Forum
- 3 LFD272-JP クラス フォーラム
- 12 LFD273 Class Forum
- 161 LFS101 Class Forum
- 1 LFS111 Class Forum
- 1 LFS112 Class Forum
- 3 LFS116 Class Forum
- 1 LFS118 Class Forum
- LFS120 Class Forum
- 1 LFS142 Class Forum
- 2 LFS144 Class Forum
- 3 LFS145 Class Forum
- 1 LFS146 Class Forum
- 2 LFS148 Class Forum
- 2 LFS151 Class Forum
- 1 LFS157 Class Forum
- 1 LFS158 Class Forum
- 10 LFS162 Class Forum
- 2 LFS166 Class Forum
- 1 LFS167 Class Forum
- 1 LFS170 Class Forum
- 1 LFS171 Class Forum
- 1 LFS178 Class Forum
- 3 LFS180 Class Forum
- 2 LFS182 Class Forum
- 1 LFS183 Class Forum
- 29 LFS200 Class Forum
- 736 LFS201 Class Forum - Discontinued
- 2 LFS201-JP クラス フォーラム
- 14 LFS203 Class Forum
- 135 LFS207 Class Forum
- 1 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 301 LFS211 Class Forum
- 56 LFS216 Class Forum
- 48 LFS241 Class Forum
- 48 LFS242 Class Forum
- 37 LFS243 Class Forum
- 12 LFS244 Class Forum
- LFS245 Class Forum
- LFS246 Class Forum
- LFS248 Class Forum
- 43 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- LFS251 Class Forum
- 141 LFS253 Class Forum
- LFS254 Class Forum
- LFS255 Class Forum
- 9 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 9 LFS258-JP クラス フォーラム
- 111 LFS260 Class Forum
- 149 LFS261 Class Forum
- 41 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 20 LFS267 Class Forum
- 18 LFS268 Class Forum
- 29 LFS269 Class Forum
- 5 LFS270 Class Forum
- 199 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- LFS147 Class Forum
- LFS274 Class Forum
- 3 LFS281 Class Forum
- LFW111 Class Forum
- 256 LFW211 Class Forum
- 182 LFW212 Class Forum
- 10 SKF100 Class Forum
- SKF200 Class Forum
- 1 SKF201 Class Forum
- 782 Hardware
- 198 Drivers
- 68 I/O Devices
- 37 Monitors
- 104 Multimedia
- 174 Networking
- 87 Printers & Scanners
- 83 Storage
- 743 Linux Distributions
- 80 Debian
- 66 Fedora
- 15 Linux Mint
- 13 Mageia
- 23 openSUSE
- 148 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 348 Ubuntu
- 468 Linux System Administration
- 39 Cloud Computing
- 70 Command Line/Scripting
- Github systems admin projects
- 90 Linux Security
- 77 Network Management
- 101 System Management
- 46 Web Management
- 55 Mobile Computing
- 17 Android
- 28 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 373 Off Topic
- 115 Introductions
- 169 Small Talk
- 23 Study Material
- 507 Programming and Development
- 304 Kernel Development
- 204 Software Development
- 1.1K Software
- 211 Applications
- 180 Command Line
- 3 Compiling/Installing
- 405 Games
- 317 Installation
- 59 All In Program
- 59 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)