Run vtpm container as non-root #3060
Conversation
|
@eriknordmark yes I would like to have both DAC and MAC properly in place, I will try once more and then ask Avi if unsuccessful. |
shjala
force-pushed
the
vtpm-no-root
branch
6 times, most recently
from
92a250b to
2e1c712
Compare
shjala
changed the title
shjala
changed the title
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
| @@ -1,6 +1,8 @@ | |||
| image: eve-vtpm | |||
| org: lfedge | |||
| config: | |||
| uid: vtpm | |||
There was a problem hiding this comment.
@eriknordmark This is almost ready, it works fine I just need to do some more tests with systest make sure Azure IoT works too, there is just a tiny issue with the UID number, maybe @deitch can help. We let the adduser pick the UID and I would like to use the string "vtpm" in the build.yml. The UID in the system is 100 :
linuxkit-525400123456:~# cat /etc/passwd | grep vtpm
vtpm:x:100:101:vtpm:/nonexistent:/bin/false
but for some reason the uid in the vtpm config is 114 :
linuxkit-525400123456:~# cat /containers/services/vtpm/config.json
{
"ociVersion": "1.0.2-dev",
"process": {
"user": {
"uid": 114,
"gid": 114
},
"args": [
"/usr/bin/init.sh"
],
[...]
and as a result :
linuxkit-525400123456:~# ps aux | grep vtpm_server
1588 114 0:00 /usr/bin/vtpm_server
3237 root 0:00 grep vtpm_server
linuxkit-525400123456:~# eve enter vtpm
linuxkit-525400123456:/$ ps
PID USER TIME COMMAND
1 114 0:00 {init.sh} /bin/sh /usr/bin/init.sh
7 114 0:00 /usr/bin/vtpm_server
20 114 0:00 sh -l
27 114 0:00 ps
I don't know from where this number comes from (build container?), surely I can pass uid number to adduser and use the same number in build.yml to make the problem go away, but would be nice to use names instead of numbers.
There was a problem hiding this comment.
Can't you pass a specific uid to adduser?
There was a problem hiding this comment.
surely I can pass uid number to adduser and use the same number in build.yml to make the problem go away, but would be nice to use names instead of numbers.
yes I can.
There was a problem hiding this comment.
Seems linuxkit only respects the value if it is a number, otherwise a incrementally chosen UID is assigned.
There was a problem hiding this comment.
vtpm is 14th container declared in rootfs.yml as result it should get uid 114 (100+14) which matches the run-time uid I see in the container.
This PR adjust the vtpm containers configurations to run it as non-root user.
Depends on #3986
I'm trying to make vtpm run with a non-root user, I have tried the USER configuration in docker file and also in the docker-compose file, but for some reason unknown to me it is not respected, and no matter what it gets executed as root user in run-time.This is a hacky way to make it run as a non-root user and be functional.any alternative solution?