Skip to content

Commit

Permalink
Match file permissions for GID 0 as owner UID 101 (#3962)
Browse files Browse the repository at this point in the history
OpenShift has various restrictions by default. Notably for Nginx
Ingress Controller, it attempts to enforce randomized UID/GID as
part of `restricted` Security Context Constraint. Currently that
is not supported.

When a randomized UID/GID is assigned, the account running inside
of the container also is assigned a supplementary group membership
in the root group.

To prepare for enablement of the more restrictive SCCs, file
permissions should be tweaked. This change ensures that when
building the container, all files that get `chown`ed to `101:0`
also ensure the owner GID 0 has same permissions that UID 101 has.

Reference: https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids
  • Loading branch information
sigv authored Aug 18, 2023
1 parent 0c643ca commit c44b1a5
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions build/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,7 @@ RUN --mount=type=bind,target=/tmp [ -n "${BUILD_OS##*plus*}" ] && exit 0; mkdir
# run only on nap waf build
RUN --mount=type=bind,target=/tmp [ -n "${NAP_MODULES##*waf*}" ] && exit 0; mkdir -p /etc/nginx/waf/nac-policies /etc/nginx/waf/nac-logconfs /etc/nginx/waf/nac-usersigs /var/log/app_protect /opt/app_protect \
&& chown -R 101:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \
&& chmod -R g=u /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \
&& touch /etc/nginx/waf/nac-usersigs/index.conf \
&& cp -a /tmp/build/log-default.json /etc/nginx

Expand All @@ -234,6 +235,7 @@ RUN --mount=type=bind,target=/tmp mkdir -p /var/lib/nginx /etc/nginx/secrets /et
&& [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \
/tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \
&& chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /*.tmpl \
&& chmod -R g=u /etc/nginx /var/cache/nginx /var/lib/nginx /*.tmpl \
&& rm -f /etc/nginx/conf.d/* /etc/apt/apt.conf.d/90pkgs-nginx /etc/apt/sources.list.d/nginx-plus.list

# Uncomment the line below if you would like to add the default.pem to the image
Expand Down

0 comments on commit c44b1a5

Please sign in to comment.