On Mon, Feb 12, 2024 at 5:37 PM Antony Jose anto346@gmail.com wrote:
Thanks Viktor for the response. Appreciate it. I have provided an attachment with the details. Dockerfile, kubectl error log and security context construct has been provided.
I am using sles15 bci as base os. Do we need add 389 user in Dockerfile? Please let me know if you want any further information.
The error: KeyError: 'getpwuid(): uid not found: 389' indicates that there is no 389 uid found inside the container.
When the 389-ds package is installed, dirsrv user is created by using systemd-sysusers configuration. In Fedora/RHEL it has a preference for 389 uid/gid: https://src.fedoraproject.org/rpms/389-ds-base/blob/rawhide/f/389-ds-base.sy... But in SUSE it has no preference and takes the first available uid/gid: https://build.opensuse.org/package/view_file/network:ldap/389-ds/dirsrv-user...
a28855ee79c7:/ # cat /etc/passwd root:x:0:0:root:/root:/bin/bash dirsrv:x:499:486:User for 389 directory server:/var/lib/dirsrv:/sbin/nologin
So in your case dirsrv user has 499 as the uid and 486 as gid. I don't know how stable these mappings are. And securityContext accepts these values as int64 only, so it's not possible to specify 'dirsrv' user: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v...
You can add dirsrv user and group with 389 uid/gid before installing 389-ds. And then use 389 as runAsUser and fsGroup values.
HTH
On Mon, Feb 12, 2024 at 9:38 PM Viktor Ashirov vashirov@redhat.com wrote:
Hi Antony,
On Mon, Feb 12, 2024 at 3:37 PM Mark Reynolds mareynol@redhat.com wrote:
Forwarding to the correct list....
-------- Forwarded Message -------- Subject: dscontainer as non root Date: Mon, 12 Feb 2024 20:01:09 +0530 From: Antony Jose anto346@gmail.com anto346@gmail.com To: 389-users-owner@lists.fedoraproject.org
Hi, Can we run dscontainer as non root process. I have deployed dscontainer on k8s cluster as root user. However running as root user is not the best security practice. Is there a tested way we can reliably run ds389 as non root user. I tried tweaking security policies to use a non root user. However, I get errors during dscontainer start up.
dscontainer certainly can run as non-root user, in the doc that you linked there is a securityContext section with runAsUser and fsGroup values that are set to 389, which is dirsrv user.
Can you share errors that you get? Thanks.
Took inspiration from this doc https://www.port389.org/docs/389ds/howto/howto-deploy-389ds-on-openshift.htm...
Regards Antony -- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- Viktor
389-users@lists.fedoraproject.org