Don't run our containers with root user about kubevirt HOT 12 CLOSED

I want to do this task. @rmohr

from kubevirt.

I checked haproxy container it does not include useradd and groupadd commands, so maybe it better to leave it as it, without adding some complex stuff.
@rmohr What do you think?

from kubevirt.

@rmohr are you sure to run squid-proxy container as non-root? Cause I tried to change user to 'nobody' and this container won't to start.

from kubevirt.

In general opening a network port less than 1000 requires root privileges. I haven't investigated deeply so that might not have anything to do with it, but it might explain why squid-proxy won't start, @bond95. If that's really what's afoot, then we might need to consider mapping ports as a workaround.

from kubevirt.

@cynepco3hahue @bond95 sorry missed your comments.

If it is too complicated, I would just leave the haproxy container out for now, since we want to switch over to the new aggregated API server soon, where we don't need the proxy anymore.

In general you will find a lot of containers which don't run as root, but they should not. Here is for instance what the haproxy apk does: https://git.alpinelinux.org/cgit/aports/tree/main/haproxy/haproxy.pre-install

I would just install the missing commands, create the user and uninstall them again in the same CMD.

@bond95 I have no idea of the limitations of 'nobody', or what haproxy needs. Do you have a log output?

from kubevirt.

@rmohr not haproxy, but squid-proxy. Logs are empty, and I can't to connect to spice-proxy container with bash or shell, but from time to time it returns rpc error: code = 2 desc = Error response from daemon: {"message":"devmapper: Error activating devmapper device for '26edddfe909cb52e775760ecda031ca23ede63467b757181ca125757066c2223-init': devicemapper: Can't set cookie dm_task_set_cookie failed"}

from kubevirt.

@bond95 there seems to be a bug with devicemapper in centos, could you make sure that you rebase on latest master? We have added a workaround to our deploy scripts: #252

from kubevirt.

@rmohr Thanks for the information, I just did not pay attention to the fact that it is alpine image and not CentOS 😄

from kubevirt.

@rmohr Hi Roman, I have some question about spice-squid container, why do not move Dockerfile(https://github.com/rmohr/docker-spice-squid/blob/master/Dockerfile) to kubevirt repository?

from kubevirt.

We can do that. That would be great. I created it when we did not own the kubevirt namespace in Docker hub.

from kubevirt.

@rmohr Cool I will create a patch for it

from kubevirt.

I think everywhere where it makes sense for now, we achieved that.

from kubevirt.