在 Cirrus/Kubernetes 环境中以特定的非 root 用户身份运行 Docker 容器

Question

When I run the entrypoint using a docker-compose statement locally, I can get the system to act as the bluecost user. However, when I do this on IBM Hybrid Cloud, it runs it as a random user with a root GID.

Below is my Dockerfile, I doubt all of this is relevant, but I wanted to be complete in case I mis-understood something.

My thought was, the USER statement switches the user the ENTRYPOINT runs as. If I needed to switch when actually building the container, I could have just done sudo or su . My intent and desire is that it runs /ssc/bin/put-and-submit-ssh.sh as USER bluecost.

Is it possible to run su ssc/bin/put-and-submit-ssh.sh somehow to force it to do this?

FROM registry.access.redhat.com/ubi8
RUN yum update
RUN yum install -y git
RUN yum install -y openssh-clients
RUN yum module reset -y perl
RUN yum module enable -y perl:5.30
RUN yum install -y --nobest --allowerasing perl
RUN yum install -y openssl-devel
RUN yum install -y iputils
ENV PERL_MM_USE_DEFAULT 1
RUN cpan install -f Net::SSL 
RUN cpan install -f inc:latest 
RUN cpan install -f Net::FTPSSL
RUN cpan install -f Net::SCP
RUN cpan install -f Net::SSH::Perl::Kex
RUN cpan install -f Net::SSH::Perl
RUN cpan install -f IPC::Run
RUN cpan install -f IPC::Run3
RUN yum install -y wget
RUN cpan install -f App::cpanminus
RUN curl -L https://cpanmin.us/ -o /bin/cpanm
RUN chmod +x /bin/cpanm
RUN useradd -r -u 1000 -g root bluecost
RUN mkdir /ssc
RUN mkdir /host-dirs
RUN chown --recursive bluecost:root ssc host-dirs 
RUN mkdir /home/bluecost
RUN mkdir /home/bluecost/.ssh
RUN echo "StrictHostKeyChecking no" > /home/bluecost/.ssh/config
RUN mkdir /root/.ssh
RUN echo "StrictHostKeyChecking no" > /root/.ssh/config
RUN chown -R bluecost:root /home/bluecost
RUN yum install -y sudo
RUN echo "bluecost ALL=(ALL) NOPASSWD: ALL"  >>/etc/sudoers
RUN yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
RUN yum install -y sshpass
RUN yum install -y rsh
USER bluecost
COPY --chown=bluecost:root . /ssc
RUN chmod --recursive 555 ./ssc 
RUN chmod a+x /ssc/bin /ssc/tls /ssc/tls/certs
RUN chmod g+rx host-dirs 
ENTRYPOINT ["/ssc/bin/put-and-submit-ssh.sh"]

Answer 1

OpenShift docs have an article on Creating images . Section OpenShift Container Platform-specific guidelines > Support arbitrary user ids states

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.

So it seems running as user with root GID is by design.

For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions.

Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:

 RUN chgrp -R 0 /some/directory && \\ chmod -R g=u /some/directory