Comments (5)
jCOTINEAU
commented on August 11, 2024
Hello @jonasrutishauser thanks a lot for taking the time to participate in the community.
This is very interesting, we have actually been following gid 0 principle to be compatible with Openshift and more specifically with anyUserID setups (see https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html Support Arbitrary User IDs)
Do you have clues towards what setup in terms of permissions in the Dockerfile should be set by now to allow any UID setup ?
from docker-sonarqube.
jonasrutishauser
commented on August 11, 2024
I just found a solution which should work at the moment (no change needed in the docker image).
As there is no runAsNonRootGroup at the moment, it is enough to not set the group explicitly and only set the fsGroup to something which is not 0.
This means the chart can be configured like the following:
securityContext:
fsGroup: 1000
containerSecurityContext:
runAsGroup: null
initContainers:
securityContext:
runAsGroup: nullEventually this could be reflected in the official chart such that is not needed to remove some values.
from docker-sonarqube.
jCOTINEAU
commented on August 11, 2024
Unfortunately, inside the Docker image we do set some permissions on file (some read only, some writeable) and we use the groupId to make sure that any user ID can be picked.
If we go to runAsGroup: null and fsGroup: any, then it means that from the docker filesystem point of vue we will have to rely on allowing read only for everyone and write for everyone.
While this looks okay to me in a container context from a security point of vue (we were in this situation for a bit) it looks like industry standards (openshift) are not going in this direction
from docker-sonarqube.
leobr29
commented on August 11, 2024
Hi @jCOTINEAU,
Some production environment already ban the use of uid or gid = 0 to run a container.
Why do not use a gid != 0 as it was the case before ? I was already able to manage Arbitrary User IDs with this kind of command :
docker run -u 9999:9999 --group-add 1000 sonarqube
Best,
Leo.
from docker-sonarqube.
jCOTINEAU
commented on August 11, 2024
Hello @leobr29, mostly to follow the Openshift guidelines.
They are dynamically at runtime fixing a random UID and gid to 0, which makes it impossible to predict the UID to use inside the Dockerfile.
We are investigating this topic again, to find the best setup. Nonetheless, it will be hard to have something working for every possible runtime and every security policy.
Thanks a lot for keeping this discussion open, if you have any other information on the topic feel free to add them here.
Best,
Jeremy
from docker-sonarqube.
Related Issues (20)
- Critical vulnerabilities with packages org.yaml/snakeyaml v1.33 and org.apache.sshd/sshd-common v2.8.0 HOT 1
- Add curl to container to allow native Docker healthchecks HOT 2
- docker run -e 的参数是在哪里定义的?为什么有的可以有的不行 HOT 5
- sonarqube dashboard show 0% code coverage sometime. HOT 1
- Can't find rule `Promises should not be misused` HOT 3
- sonarqube token dissappears almost immediately on AWS ec2, HOT 3
- SonarQube docker: wrong ownership of mounted volumn HOT 3
- Docker image deploy ulimit and baseos HOT 1
- Trying to upgrade sonar 9.9.0-developer edition to latest (10.1.0-developer), build is successful but not generating the sonar report from azure devops
- SonarQube 10.2 does not start with postgres 15.4 HOT 2
- There is insufficient memory for the Java Runtime Environment to continue. HOT 3
- Missing linux/amd64 for version 10.2.1-xxx HOT 2
- permissions issues with 9.9 HOT 5
- Option to use alpine version again HOT 10
- Security hardening for Sonarqube POD/containers deployed through HELM charts in Azure Kubernetes cluster HOT 1
- Docker image cant run due to java issue HOT 2
- Elasticsearch error HOT 8
- root Group not compliant with Baseline PodSecurityStandard HOT 1
- Resolve vulnerabilities in docker images HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-sonarqube.