Lab Exercise A.3: Practicing Skills. Exercises 30-34

kubectl create -f review6.yaml
doesn't produce a pod that complains about reading the config files as #34 implies, but rather complains
- 2025/06/21 17:29:54 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
- nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
Editing uid
to match the nginx
user doesn't help as /var/cache/nginx
belongs to root
with mode 0755
.
I guess the question I need to ask is... how far afield of the instructions are we supposed to go? that is, if I replace the nginx
image with one designed to run unprivileged [and update the uid
to match from /etc/passwd
], it can work. And certainly I might do that with something in in real life.
But how do I know what the minimal/acceptable solution is for the exam? I have to assume it's computer-graded so there's no points for creativity, and there's no guarantee I'm allowed to pull "random" [unanticipated in the exercise] images from DockerHub.
Other solutions exist as well, but again if it's computer-graded all seems for naught.
Comments
-
I agree,
This was a tricky section for me to understand too.
I have finally got it running and I think what is attempted to be taught imo is that although you set the security context (nginx=101) it does not change the the original security context of when the image was build. I had to implicitly set the volume mounts... and only then did the paths in the mounts inherited the security context. I also had to override the nginx.conf file to run the pid in the temp folder using a config map.
I also found that I could not bind to port 80 as non root as this is a restriction in linux (privileged ports are those in the range of 1-1023 ). So I had to modify the nginx.conf to listen on port 8080 as well.
---> nginx.conf
events {}
http {
server {
listen 8080;
location / {
return 200 "Hello from non-root NGINX\n";
}
}}
pid /tmp/nginx.pid;---->
kubectl create configmap nginx-conf --from-file=nginx.conf
---->
apiVersion: v1
kind: Pod
metadata:
name: securityreview
spec:
securityContext:
runAsUser: 2100
containers:
- name: webguy
image: nginx
securityContext:
runAsUser: 101
allowPrivilegeEscalation: false
ports:
- containerPort: 8080
volumeMounts:
- name: nginx-cache
mountPath: /var/cache/nginx
- name: nginx-conf
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
- name: nginx-cache
emptyDir: {}
- name: nginx-conf
configMap:
name: nginx-confOpen to comments
1 -
Thank you. So it needs thinking out of the box, but rather different than my solution.
0
Categories
- All Categories
- 146 LFX Mentorship
- 146 LFX Mentorship: Linux Kernel
- 834 Linux Foundation IT Professional Programs
- 381 Cloud Engineer IT Professional Program
- 184 Advanced Cloud Engineer IT Professional Program
- 85 DevOps Engineer IT Professional Program
- 153 Cloud Native Developer IT Professional Program
- 148 Express Training Courses & Microlearning
- 147 Express Courses - Discussion Forum
- 1 Microlearning - Discussion Forum
- 6.8K Training Courses
- 49 LFC110 Class Forum - Discontinued
- 73 LFC131 Class Forum
- 51 LFD102 Class Forum
- 244 LFD103 Class Forum
- 23 LFD110 Class Forum
- 47 LFD121 Class Forum
- 1 LFD123 Class Forum
- LFD125 Class Forum
- 18 LFD133 Class Forum
- 9 LFD134 Class Forum
- 18 LFD137 Class Forum
- 72 LFD201 Class Forum
- 6 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 2 LFD233 Class Forum
- 4 LFD237 Class Forum
- 24 LFD254 Class Forum
- 731 LFD259 Class Forum
- 111 LFD272 Class Forum - Discontinued
- 4 LFD272-JP クラス フォーラム
- 13 LFD273 Class Forum
- 307 LFS101 Class Forum
- 2 LFS111 Class Forum
- 3 LFS112 Class Forum
- 3 LFS116 Class Forum
- 8 LFS118 Class Forum
- 1 LFS120 Class Forum
- 10 LFS142 Class Forum
- 8 LFS144 Class Forum
- 4 LFS145 Class Forum
- 5 LFS146 Class Forum
- 18 LFS148 Class Forum
- 16 LFS151 Class Forum
- 5 LFS157 Class Forum
- 75 LFS158 Class Forum
- LFS158-JP クラス フォーラム
- 12 LFS162 Class Forum
- 2 LFS166 Class Forum
- 7 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 3 LFS178 Class Forum
- 3 LFS180 Class Forum
- 2 LFS182 Class Forum
- 5 LFS183 Class Forum
- LFS184 Class Forum
- 35 LFS200 Class Forum
- 737 LFS201 Class Forum - Discontinued
- 3 LFS201-JP クラス フォーラム - Discontinued
- 21 LFS203 Class Forum
- 140 LFS207 Class Forum
- 2 LFS207-DE-Klassenforum
- 2 LFS207-JP クラス フォーラム
- 302 LFS211 Class Forum
- 56 LFS216 Class Forum
- 55 LFS241 Class Forum
- 50 LFS242 Class Forum
- 38 LFS243 Class Forum
- 16 LFS244 Class Forum
- 6 LFS245 Class Forum
- LFS246 Class Forum
- LFS248 Class Forum
- 119 LFS250 Class Forum
- 2 LFS250-JP クラス フォーラム
- 1 LFS251 Class Forum
- 158 LFS253 Class Forum
- 1 LFS254 Class Forum
- 2 LFS255 Class Forum
- 13 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 11 LFS258-JP クラス フォーラム
- 138 LFS260 Class Forum
- 164 LFS261 Class Forum
- 43 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 24 LFS267 Class Forum
- 25 LFS268 Class Forum
- 37 LFS269 Class Forum
- 10 LFS270 Class Forum
- 202 LFS272 Class Forum - Discontinued
- 2 LFS272-JP クラス フォーラム
- 4 LFS147 Class Forum
- 2 LFS274 Class Forum
- 4 LFS281 Class Forum
- 29 LFW111 Class Forum
- 262 LFW211 Class Forum
- 186 LFW212 Class Forum
- 15 SKF100 Class Forum
- 1 SKF200 Class Forum
- 2 SKF201 Class Forum
- 797 Hardware
- 199 Drivers
- 68 I/O Devices
- 37 Monitors
- 104 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 85 Storage
- 763 Linux Distributions
- 82 Debian
- 67 Fedora
- 18 Linux Mint
- 13 Mageia
- 23 openSUSE
- 149 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 472 Linux System Administration
- 39 Cloud Computing
- 71 Command Line/Scripting
- Github systems admin projects
- 96 Linux Security
- 78 Network Management
- 102 System Management
- 48 Web Management
- 71 Mobile Computing
- 19 Android
- 39 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 382 Off Topic
- 116 Introductions
- 178 Small Talk
- 27 Study Material
- 812 Programming and Development
- 306 Kernel Development
- 488 Software Development
- 1.8K Software
- 263 Applications
- 183 Command Line
- 4 Compiling/Installing
- 988 Games
- 317 Installation
- 106 All In Program
- 106 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)