On Mon, Feb 12, 2024 at 5:37 PM Antony Jose <anto...@gmail.com> wrote:
> Thanks Viktor for the response. Appreciate it. > I have provided an attachment with the details. Dockerfile, kubectl error > log and security context construct has been provided. > > I am using sles15 bci as base os. Do we need add 389 user in Dockerfile? > Please let me know if you want any further information. > The error: KeyError: 'getpwuid(): uid not found: 389' indicates that there is no 389 uid found inside the container. When the 389-ds package is installed, dirsrv user is created by using systemd-sysusers configuration. In Fedora/RHEL it has a preference for 389 uid/gid: https://src.fedoraproject.org/rpms/389-ds-base/blob/rawhide/f/389-ds-base.sysusers But in SUSE it has no preference and takes the first available uid/gid: https://build.opensuse.org/package/view_file/network:ldap/389-ds/dirsrv-user.conf?expand=1 a28855ee79c7:/ # cat /etc/passwd root:x:0:0:root:/root:/bin/bash dirsrv:x:499:486:User for 389 directory server:/var/lib/dirsrv:/sbin/nologin So in your case dirsrv user has 499 as the uid and 486 as gid. I don't know how stable these mappings are. And securityContext accepts these values as int64 only, so it's not possible to specify 'dirsrv' user: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context You can add dirsrv user and group with 389 uid/gid before installing 389-ds. And then use 389 as runAsUser and fsGroup values. HTH > > > > On Mon, Feb 12, 2024 at 9:38 PM Viktor Ashirov <vashi...@redhat.com> > wrote: > >> Hi Antony, >> >> On Mon, Feb 12, 2024 at 3:37 PM Mark Reynolds <marey...@redhat.com> >> wrote: >> >>> Forwarding to the correct list.... >>> >>> >>> -------- Forwarded Message -------- >>> Subject: dscontainer as non root >>> Date: Mon, 12 Feb 2024 20:01:09 +0530 >>> From: Antony Jose <anto...@gmail.com> <anto...@gmail.com> >>> To: 389-users-ow...@lists.fedoraproject.org >>> >>> Hi, >>> Can we run dscontainer as non root process. I have deployed >>> dscontainer on k8s cluster as root user. However running as root user is >>> not the best security practice. Is there a tested way we can reliably run >>> ds389 as non root user. I tried tweaking security policies to use a non >>> root user. However, I get errors during dscontainer start up. >>> >> dscontainer certainly can run as non-root user, in the doc that you >> linked there is a securityContext section with runAsUser and fsGroup values >> that are set to 389, which is dirsrv user. >> >> Can you share errors that you get? >> Thanks. >> >> >>> >>> Took inspiration from this doc >>> https://www.port389.org/docs/389ds/howto/howto-deploy-389ds-on-openshift.html >>> >>> >>> Regards >>> Antony >>> -- >>> _______________________________________________ >>> 389-users mailing list -- 389-users@lists.fedoraproject.org >>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> >> >> -- >> Viktor >> > -- Viktor
-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
