default user inside container?

Ben Parees bparees at redhat.com
Mon Apr 27 02:56:14 UTC 2015 

----- Original Message -----
> From: "Honza Horak" <hhorak at redhat.com>
> To: env-and-stacks at lists.fedoraproject.org
> Sent: Thursday, April 23, 2015 11:10:26 AM
> Subject: Re: default user inside container?
> 
> We touched this problem on today's meeting, but not found the final
> solutions yet, the log may be worth reading though:
> http://meetbot.fedoraproject.org/fedora-meeting-2/2015-04-23/env-and-stacks.2015-04-23-12.04.html
> 
> Honza
> 
> On 04/22/2015 07:22 PM, Honza Horak wrote:
> > Hey,
> >
> > having in mind docker images for e.g. python, ruby, nodejs and some
> > application written in those languages/frameworks already inside the
> > docker (basically those where there is no specific user to be used like
> > for daemons for example) -- the application may either run as root or
> > non-root user (non-root should be preferred way, right?)
> >
> > For cases we need such a user, this user must have expected HOME, UID
> > and GID to be possible to match on host, so after inspiring in the
> > openshift base image (but not copied everything), what about:
> >
> >
> > ENV HOME /home/default
> > RUN mkdir -p ${HOME} && \
> >      groupadd -r default -f -g 333 && \
> >      useradd -u 333 -r -g default -d ${HOME} -s /sbin/nologin \
> >              -c "Default Application User" default
> >
> > Home directory is first problem. May it be something in /home? Or rather
> > take that user similar to users for daemons and use something like
> > /var/lib/container-home?
> >
> > Then, what the UID and GID should be?
> >
> > Picking one from <1000 would disable this user from some operations,
> > that check MIN_UID explicitly to behave differently, but maybe it makes
> > sense -- we can take that user as a special one, not ordinary one;
> > personally the preferred way.
> >
> > Picking one from >1000 could provide conflicts on host in case the same
> > already exists there.

For OpenShift we are planning to make the images we provide out of the box tolerate running as any uid.  This is necessary to ensure that volume mounted filesystems (eg NFS mounts for persistent storage) can be setup with appropriate security while being read by the container that mounts them.

For now this means making certain paths either world RW, or assigning a particular group (of which everyone is a member) RW access.

You can see our first implementation for mysql here:
https://github.com/csrwng/mysql/commit/ccefa0cb9f5398e3aae01c22ad970b26dcff30a4

> >
> > Any ideas?
> >
> > Honza
> > _______________________________________________
> > env-and-stacks mailing list
> > env-and-stacks at lists.fedoraproject.org
> > https://lists.fedoraproject.org/mailman/listinfo/env-and-stacks
> _______________________________________________
> env-and-stacks mailing list
> env-and-stacks at lists.fedoraproject.org
> https://lists.fedoraproject.org/mailman/listinfo/env-and-stacks
>

More information about the env-and-stacks mailing list