Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't run the app as root #466

Merged
merged 1 commit into from
Apr 24, 2020
Merged

Don't run the app as root #466

merged 1 commit into from
Apr 24, 2020

Conversation

carbonin
Copy link
Member

@carbonin carbonin commented Apr 23, 2020
edited
Loading

What this PR does / why we need it:
This makes the orchestrator and work pods run in the restricted scc rather than anyuid

A bunch of certifications require us not to run as root
in containers. Additionally the vast majority of the application
should run fine without root and the parts that need root are
typically things we can't do in containers anyway.

Specifically this changes the permissions of some directories to
allow the root group access which is what we'll be running as when
using the restricted scc in OpenShift

Related to #442

Special notes for your reviewer:

Merge with ManageIQ/manageiq#20095

@carbonin
Don't run the app as root
91248cd 
A bunch of certifications require us not to run as root
in containers. Additionally the vast majority of the application
should run fine without root and the parts that need root are
typically things we can't do in containers anyway.

Specifically this changes the permissions of some directories to
allow the root group access which is what we'll be running as when
using the restricted scc in OpenShift
@carbonin carbonin requested a review from bdunne as a code owner April 23, 2020 15:45
@carbonin carbonin mentioned this pull request Apr 23, 2020
Merged
@miq-bot
Copy link
Member

miq-bot commented Apr 23, 2020

Checked commit carbonin@91248cd with ruby 2.5.7, rubocop 0.69.0, haml-lint 0.28.0, and yamllint
1 file checked, 1 offense detected

**

  • 💣 💥 🔥 🚒 - Linter/Yaml - missing config files

@bdunne bdunne merged commit 4208109 into ManageIQ:master Apr 24, 2020
@bdunne bdunne assigned bdunne and unassigned Fryguy Apr 24, 2020
@carbonin carbonin deleted the dont_run_app_as_root branch April 29, 2020 18:50
simaishi pushed a commit that referenced this pull request May 1, 2020
@bdunne @simaishi
Merge pull request #466 from carbonin/dont_run_app_as_root
fbc1931 
Don't run the app as root

(cherry picked from commit 4208109)
@simaishi
Copy link
Contributor

simaishi commented May 1, 2020

Jansa backport details:

$ git log -1
commit fbc19317aac0941697e148a7817c46c825075924
Author: Brandon Dunne <[email protected]>
Date:   Fri Apr 24 14:45:39 2020 -0400

    Merge pull request #466 from carbonin/dont_run_app_as_root

    Don't run the app as root

    (cherry picked from commit 420810947f374f936106a94638765dc6ead01d31)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdunne bdunne bdunne approved these changes

Assignees

@bdunne bdunne

Labels
enhancement jansa/backported operator template
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@carbonin @miq-bot @simaishi @bdunne @Fryguy