[GitHub] fmaschler commented on issue #3579: Using non root user in controller
fmaschler commented on issue #3579: Using non root user in controller URL: https://github.com/apache/incubator-openwhisk/pull/3579#issuecomment-396215423 Great @rabbah! Hopefully this will speed up the discussion and solve the problem in #3603. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] fmaschler commented on issue #3579: Using non root user in controller
fmaschler commented on issue #3579: Using non root user in controller URL: https://github.com/apache/incubator-openwhisk/pull/3579#issuecomment-391695352 This is good when you talk about INSIDE containers but this is about the OUTSIDE: The containers process on the host runs as root. > The best way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users. For containers whose processes must run as the root user within the container, you can re-map this user to a less-privileged user on the Docker host. The question is if controller, kafka, invoker and the runtime containers all need to run as root? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] fmaschler commented on issue #3579: Using non root user in controller
fmaschler commented on issue #3579: Using non root user in controller URL: https://github.com/apache/incubator-openwhisk/pull/3579#issuecomment-391314107 I'm not an expert in namespaces but I see what you mean. Though those container processes run as root on the host. Even if they may not have the same privilege inside the container this should be changed if there is no reason about it. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] fmaschler commented on issue #3579: Using non root user in controller
fmaschler commented on issue #3579: Using non root user in controller URL: https://github.com/apache/incubator-openwhisk/pull/3579#issuecomment-390959318 Is there any update on this? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] fmaschler commented on issue #3579: Using non root user in controller
fmaschler commented on issue #3579: Using non root user in controller URL: https://github.com/apache/incubator-openwhisk/pull/3579#issuecomment-387765815 I checked the namespaces but on the host the process still runs as root: ``` $ docker exec -i -t controller0 /bin/bash bash-4.3# ps PID USER TIME COMMAND 1 root 5:32 /usr/lib/jvm/java-8-oracle/bin/java -Djava.security.egd=file:/dev/./urandom -Xmx2g -XX:+ bash-4.3# exit $ ps -aux | grep java.security root 21745 9.2 6.7 5736432 545532 ? Ssl 13:46 5:54 /usr/lib/jvm/java-8-oracle/bin/java -Djava.security.egd=file:/dev/./urandom -Xmx2g -XX:+... ``` When I run the changed image it already fails at deployment while copying jmxremote to `/root/` @mcdan Do you mean the container logs? Cause they are owned by the non-root user. If the invoker reads the daemon log at `/var/log/upstart/docker.log` it feels like a security issue anyway. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services