Skip to content

Commit

Permalink
images/tests: Globally-writeable /etc/passwd
Browse files Browse the repository at this point in the history 
This lets us SSH from the teardown container into the cluster without
hitting:

  $ ssh -A core@$bootstrap_ip
  No user exists for uid 1051910000

OpenSSH has a very early getpwuid call [1] with no provision for
bypassing via HOME or USER environment variables like we did for Bazel
[2].  OpenShift runs with the random UIDs by default [3]:

  By default, all containers that we try and launch within OpenShift,
  are set blocked from “RunAsAny” which basically means that they are
  not allowed to use a root user within the container.  This prevents
  root actions such as chown or chmod from being run and is a sensible
  security precaution as, should a user be able to perform a local
  exploit to break out of the container, then they would not be
  running as root on the underlying container host.  NB what about
  user-namespaces some of you are no doubt asking, these are
  definitely coming but the testing/hardening process is taking a
  while and whilst companies such as Red Hat are working hard in this
  space, there is still a way to go until they are ready for the
  mainstream.

while Kubernetes sorts out user namespacing [4].  Despite the high
UIDs, all users on the cluster are GID 0, so the g+w is sufficient
(vs. a+w), and maybe this mitigates concerns about increased
writability for such an important file.  The main mitigation is that
these are throw-away CI containers, and not long-running production
containers where we are concerned about malicious entry.

A more polished fix has landed in CRI-O [5], but the CI cluster is
stuck on OpenShift 3.11 and Docker at the moment.

Our SSH usecase is for gathering logs in the teardown container [6],
but we've been using the tests image for both tests and teardown since
b16dcfc (images/tests/Dockerfile*: Install gzip for compressing
logs, 2019-02-19, openshift#22094).

[1]: https://github.com/openssh/openssh-portable/blob/V_7_4_P1/ssh.c#L577
[2]: openshift/release#1185
[3]: https://blog.openshift.com/getting-any-docker-image-running-in-your-own-openshift-cluster/
[4]: kubernetes/enhancements#127
[5]: cri-o/cri-o#2022
[6]: openshift/release#3475
  • Loading branch information
@wking @bertinatto
wking authored and bertinatto committed Apr 24, 2019
1 parent 217de17 commit be0dffc
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion images/tests/Dockerfile.rhel
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ FROM registry.svc.ci.openshift.org/ocp/4.0:cli
COPY --from=builder /tmp/build/openshift-tests /usr/bin/
RUN yum install --setopt=tsflags=nodocs -y git gzip util-linux && yum clean all && rm -rf /var/cache/yum/* && \
git config --system user.name test && \
git config --system user.email test@test.com
git config --system user.email test@test.com && \
chmod g+w /etc/passwd
LABEL io.k8s.display-name="OpenShift End-to-End Tests" \
io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
io.openshift.tags="openshift,tests,e2e"

0 comments on commit be0dffc

Please sign in to comment.