Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shell-image should specify to run as root when it needs it. #4761

Closed
mattmoor opened this issue Apr 14, 2022 · 3 comments · Fixed by #4762
Closed

shell-image should specify to run as root when it needs it. #4761

mattmoor opened this issue Apr 14, 2022 · 3 comments · Fixed by #4762
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@mattmoor
Copy link
Member

Expected Behavior

A default nonroot version of shell-image can pass e2e testing without issues.

Actual Behavior

permission denied setting up PVCs.

@imjasonh brought up a great point about the script: semantics as well, which are probably being run as root due to the choice of default user today, but I have not confirmed.

Steps to Reproduce the Problem

Replace the -shell-image in config/controller.yaml with ghcr.io/distroless/busybox (which is nonroot by default).
@mattmoor mattmoor added the kind/bug Categorizes issue or PR as related to a bug. label Apr 14, 2022
@mattmoor
Copy link
Member Author

FYI this is the shell-image equivalent to: #4711

mattmoor added a commit to mattmoor/pipeline that referenced this issue Apr 14, 2022
@mattmoor
Switch to ghcr.io/distroless/busybox for shell-image
d3b4487 
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`.  This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`.

This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images.

Fixes: tektoncd#4761
Related: tektoncd#4752
@mattmoor mattmoor mentioned this issue Apr 14, 2022
Merged
5 tasks
@mattmoor
Copy link
Member Author

Ultimately the goal of this issue is to weaken this wording where root is required:

The shell image must be root in order to create directories and copy files to PVCs.

... to wording where the image must support running as root.

@mattmoor
Copy link
Member Author

One of the places that must be fixed up is here:

pipeline/pkg/apis/resource/v1alpha1/storage/artifact_pvc.go

Lines 66 to 80 in 80f9ac6

return []v1beta1.Step{{Container: corev1.Container{
Name: names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("source-mkdir-%s", name)),
Image: p.ShellImage,
Command: []string{"mkdir", "-p", destinationPath},
VolumeMounts: []corev1.VolumeMount{GetPvcMount(p.Name)},
}}, {Container: corev1.Container{
Name: names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("source-copy-%s", name)),
Image: p.ShellImage,
Command: []string{"cp", "-r", fmt.Sprintf("%s/.", sourcePath), destinationPath},
VolumeMounts: []corev1.VolumeMount{GetPvcMount(p.Name)},
Env: []corev1.EnvVar{{
Name: "TEKTON_RESOURCE_NAME",
Value: name,
}},
}}}

Clearly (from the comment) this code dealing with PVCs is one of the key places where the root requirement had originally stemmed from. I will see if/what else fails when these have an explicit runAsUser: 0 🤞

mattmoor added a commit to mattmoor/pipeline that referenced this issue Apr 14, 2022
@mattmoor
Switch to ghcr.io/distroless/busybox for shell-image
315ef44 
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`.  This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`.

This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images.

Fixes: tektoncd#4761
Related: tektoncd#4752
mattmoor added a commit to mattmoor/pipeline that referenced this issue Apr 14, 2022
@mattmoor
Switch to ghcr.io/distroless/busybox for shell-image
2752c85 
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`.  This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`.

This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images.

Fixes: tektoncd#4761
Related: tektoncd#4752
mattmoor added a commit to mattmoor/pipeline that referenced this issue Apr 14, 2022
@mattmoor
Switch to ghcr.io/distroless/busybox for shell-image
90e86cf 
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`.  This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`.

This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images.

Fixes: tektoncd#4761
Related: tektoncd#4752
tekton-robot pushed a commit that referenced this issue Apr 15, 2022
@mattmoor @tekton-robot
Switch to ghcr.io/distroless/busybox for shell-image
88896b4 
This is very similar to #4758 and #4717 but for `shell-image`.  This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`.

This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images.

Fixes: #4761
Related: #4752
chitrangpatel pushed a commit to chitrangpatel/pipeline that referenced this issue May 3, 2022
@mattmoor @chitrangpatel
Switch to ghcr.io/distroless/busybox for shell-image
30348b7 
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`.  This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`.

This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images.

Fixes: tektoncd#4761
Related: tektoncd#4752
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Switch to ghcr.io/distroless/busybox for shell-image mattmoor/pipeline
1 participant
@mattmoor