Welcome to the Linux Foundation Forum!

Lab Exercise A.3: Practicing Skills. Exercises 30-34

tabrisnet
tabrisnet Posts: 2
in LFS258 Class Forum

kubectl create -f review6.yaml doesn't produce a pod that complains about reading the config files as #34 implies, but rather complains

2025/06/21 17:29:54 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

Editing uid to match the nginx user doesn't help as /var/cache/nginx belongs to root with mode 0755.

I guess the question I need to ask is... how far afield of the instructions are we supposed to go? that is, if I replace the nginx image with one designed to run unprivileged [and update the uid to match from /etc/passwd], it can work. And certainly I might do that with something in in real life.
But how do I know what the minimal/acceptable solution is for the exam? I have to assume it's computer-graded so there's no points for creativity, and there's no guarantee I'm allowed to pull "random" [unanticipated in the exercise] images from DockerHub.

Other solutions exist as well, but again if it's computer-graded all seems for naught.

Comments

  • johanprinsloo
    johanprinsloo Posts: 1

    I agree,

    This was a tricky section for me to understand too.

    I have finally got it running and I think what is attempted to be taught imo is that although you set the security context (nginx=101) it does not change the the original security context of when the image was build. I had to implicitly set the volume mounts... and only then did the paths in the mounts inherited the security context. I also had to override the nginx.conf file to run the pid in the temp folder using a config map.

    I also found that I could not bind to port 80 as non root as this is a restriction in linux (privileged ports are those in the range of 1-1023 ). So I had to modify the nginx.conf to listen on port 8080 as well.

    ---> nginx.conf

    events {}

    http {
    server {
    listen 8080;
    location / {
    return 200 "Hello from non-root NGINX\n";
    }
    }

    }
    pid /tmp/nginx.pid;

    ---->
    kubectl create configmap nginx-conf --from-file=nginx.conf
    ---->
    apiVersion: v1
    kind: Pod
    metadata:
    name: securityreview
    spec:
    securityContext:
    runAsUser: 2100
    containers:
    - name: webguy
    image: nginx
    securityContext:
    runAsUser: 101
    allowPrivilegeEscalation: false
    ports:
    - containerPort: 8080
    volumeMounts:
    - name: nginx-cache
    mountPath: /var/cache/nginx
    - name: nginx-conf
    mountPath: /etc/nginx/nginx.conf
    subPath: nginx.conf
    volumes:
    - name: nginx-cache
    emptyDir: {}
    - name: nginx-conf
    configMap:
    name: nginx-conf

    Open to comments

  • tabrisnet
    tabrisnet Posts: 2

    Thank you. So it needs thinking out of the box, but rather different than my solution.

  • LouisBaumann
    LouisBaumann Posts: 3

    I used a different approach without compromising the initial setup using another port than 80:

    https://forum.linuxfoundation.org/discussion/comment/43090#Comment_43090?utm_source=community-search&utm_medium=organic-search&utm_term=Practicing+Skills

    Hope this helps.

Categories

Upcoming Training