Welcome to the Linux Foundation Forum!

Lab Exercise A.3: Practicing Skills. Exercises 30-34

Options

kubectl create -f review6.yaml doesn't produce a pod that complains about reading the config files as #34 implies, but rather complains

  1. 2025/06/21 17:29:54 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
  2. nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

Editing uid to match the nginx user doesn't help as /var/cache/nginx belongs to root with mode 0755.

I guess the question I need to ask is... how far afield of the instructions are we supposed to go? that is, if I replace the nginx image with one designed to run unprivileged [and update the uid to match from /etc/passwd], it can work. And certainly I might do that with something in in real life.
But how do I know what the minimal/acceptable solution is for the exam? I have to assume it's computer-graded so there's no points for creativity, and there's no guarantee I'm allowed to pull "random" [unanticipated in the exercise] images from DockerHub.

Other solutions exist as well, but again if it's computer-graded all seems for naught.

Comments

  • I agree,

    This was a tricky section for me to understand too.

    I have finally got it running and I think what is attempted to be taught imo is that although you set the security context (nginx=101) it does not change the the original security context of when the image was build. I had to implicitly set the volume mounts... and only then did the paths in the mounts inherited the security context. I also had to override the nginx.conf file to run the pid in the temp folder using a config map.

    I also found that I could not bind to port 80 as non root as this is a restriction in linux (privileged ports are those in the range of 1-1023 ). So I had to modify the nginx.conf to listen on port 8080 as well.

    ---> nginx.conf

    events {}

    http {
    server {
    listen 8080;
    location / {
    return 200 "Hello from non-root NGINX\n";
    }
    }

    }
    pid /tmp/nginx.pid;

    ---->
    kubectl create configmap nginx-conf --from-file=nginx.conf
    ---->
    apiVersion: v1
    kind: Pod
    metadata:
    name: securityreview
    spec:
    securityContext:
    runAsUser: 2100
    containers:
    - name: webguy
    image: nginx
    securityContext:
    runAsUser: 101
    allowPrivilegeEscalation: false
    ports:
    - containerPort: 8080
    volumeMounts:
    - name: nginx-cache
    mountPath: /var/cache/nginx
    - name: nginx-conf
    mountPath: /etc/nginx/nginx.conf
    subPath: nginx.conf
    volumes:
    - name: nginx-cache
    emptyDir: {}
    - name: nginx-conf
    configMap:
    name: nginx-conf

    Open to comments

  • Posts: 2

    Thank you. So it needs thinking out of the box, but rather different than my solution.

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training