onedev/server

#1776 Able to run OneDev as unprivileged user in container

Open

Activities

Jennings Zhang opened 2 months ago

In many Kubernetes environments it is a best practice to set the container user to be some arbitrary underprivileged UID. For example, this is a requirement on OpenShift.

I am trying to deploy onedev using Helm, with these values:

securityContext:
  runAsUser: 11111
  runAsGroup: 11111

The pod crashes, with the following logs:

/bin/bash: /root/bin/entrypoint.sh: Permission denied

This is because in the Dockerfile, code is stored in /root.

https://code.onedev.io/onedev/server/~files/bf56093cc4231963397f69d6a2f402d5715d87e9/server-product/docker/Dockerfile.server?position=source-25.1-25.32-1

My recommendation is to put code inside container images in a world-readable directory, for example, /app, /usr/local/bin, or /opt/onedev.

Robin Shen commented 2 months ago

This is not a bug. OneDev currently does not support to run as non-root user inside container.

Robin Shen changed fields 2 months ago

Name	Previous Value	Current Value
Type	Bug	Improvement

Robin Shen changed title 2 months ago

Previous Value	Current Value
Underprivileged container user	Able to run OneDev as unprivileged user in docker

Robin Shen changed title 2 months ago

Previous Value	Current Value
Able to run OneDev as unprivileged user in docker	Able to run OneDev as unprivileged user in container

Type	Improvement
Priority	Normal
Assignee	Robin Shen
Labels	No labels

Issue Votes (0)

Watchers (3)

Reference

onedev/server#1776