Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Specify mysql as container user #598

Closed
wants to merge 1 commit into from

Conversation

mmontes11
Copy link
Contributor

Explicitly declare mysql as the container user to be compliant with RedHat container certification :

Without this, the certifications tests fail:

Run make preflight-image-submit
/home/runner/work/mariadb-enterprise-server-docker/mariadb-enterprise-server-docker/bin/preflight check container mariadb:11.4.2-ubi\
	--submit \
	--pyxis-api-token=*** \
	--certification-project-id=***\
	--docker-config /home/runner/.docker/config.json  
time="2024-07-03T13:06:2[8](https://github.com/mariadb-corporation/mariadb-enterprise-server-docker/actions/runs/9778444292/job/26995266059#step:3:9)Z" level=info msg="certification library version" version="1.9.4 <commit: 7abf1ac0cc2c9156a16557d532da5d365b662423>"
time="2024-07-03T13:06:2[9](https://github.com/mariadb-corporation/mariadb-enterprise-server-docker/actions/runs/9778444292/job/26995266059#step:3:10)Z" level=info msg="running checks for mariadb:11.4.2-ubi for platform amd64"
time="2024-07-03T13:06:30Z" level=info msg="target image" image="mariadb:11.4.2-ubi"
time="2024-07-03T13:06:42Z" level=info msg="check completed" check=HasLicense result=PASSED
time="2024-07-03T13:06:42Z" level=info msg="check completed" check=HasUniqueTag result=PASSED
time="2024-07-03T13:06:42Z" level=info msg="check completed" check=LayerCountAcceptable result=PASSED
time="2024-07-03T13:06:42Z" level=info msg="check completed" check=HasNoProhibitedPackages result=PASSED
time="2024-07-03T13:06:42Z" level=info msg="check completed" check=HasRequiredLabel result=PASSED
time="2024-07-03T13:06:42Z" level=info msg="detected empty USER. Presumed to be running as root"
time="2024-07-03T13:06:42Z" level=info msg="USER value must be provided and be a non-root value for this check to pass"
time="2024-07-03T13:06:42Z" level=info msg="check completed" check=RunAsNonRoot result=FAILED
time="2024-07-03T13:06:51Z" level=info msg="check completed" check=HasModifiedFiles result=PASSED
time="2024-07-03T13:06:52Z" level=info msg="check completed" check=BasedOnUbi result=PASSED
time="2024-07-03T13:06:52Z" level=info msg="This image's tag 11.4.2-ubi will be paired with digest sha256:39d890585ce0b56da608121b8cb3c429cc40ed37a9478fb60f1b19001f4db57a once this image has been published in accordance with Red Hat Certification policy. You may then add or remove any supplemental tags through your Red Hat Connect portal as you see fit."
time="2024-07-03T13:06:52Z" level=info msg="preparing results that will be submitted to Red Hat"
{
    "image": "mariadb:11.4.2-ubi",
    "passed": false,
    "test_library": {
        "name": "github.com/redhat-openshift-ecosystem/openshift-preflight",
        "version": "1.9.4",
        "commit": "7abf1ac0cc2c9156a16557d532da5d365b662423"
    },
    "results": {
        "passed": [
            {
                "name": "HasLicense",
                "elapsed_time": 0,
                "description": "Checking if terms and conditions applicable to the software including open source licensing information are present. The license must be at /licenses"
            },
            {
                "name": "HasUniqueTag",
                "elapsed_time": 0,
                "description": "Checking if container has a tag other than 'latest', so that the image can be uniquely identified."
            },
            {
                "name": "LayerCountAcceptable",
                "elapsed_time": 0,
                "description": "Checking if container has less than 40 layers.  Too many layers within the container images can degrade container performance."
            },
            {
                "name": "HasNoProhibitedPackages",
                "elapsed_time": 78,
                "description": "Checks to ensure that the image in use does not include prohibited packages, such as Red Hat Enterprise Linux (RHEL) kernel packages."
            },
            {
                "name": "HasRequiredLabel",
                "elapsed_time": 0,
                "description": "Checking if the required labels (name, vendor, version, release, summary, description) are present in the container metadata."
            },
            {
                "name": "HasModifiedFiles",
                "elapsed_time": 86[10](https://github.com/mariadb-corporation/mariadb-enterprise-server-docker/actions/runs/9778444292/job/26995266059#step:3:11),
                "description": "Checks that no files installed via RPM in the base Red Hat layer have been modified"
            },
            {
                "name": "BasedOnUbi",
                "elapsed_time": 14[13](https://github.com/mariadb-corporation/mariadb-enterprise-server-docker/actions/runs/9778444292/job/26995266059#step:3:14),
                "description": "Checking if the container's base image is based upon the Red Hat Universal Base Image (UBI)"
            }
        ],
        "failed": [
            {
                "name": "RunAsNonRoot",
                "elapsed_time": 2,
                "description": "Checking if container runs as the root user because a container that does not specify a non-root user will fail the automatic certification, and will be subject to a manual review before the container can be approved for publication",
                "help": "Check RunAsNonRoot encountered an error. Please review the preflight.log file for more information.",
                "suggestion": "Indicate a specific USER in the dockerfile or containerfile",
                "knowledgebase_url": "https://access.redhat.com/documentation/en-us/red_hat_software_certification/[20](https://github.com/mariadb-corporation/mariadb-enterprise-server-docker/actions/runs/9778444292/job/26995266059#step:3:21)24/html-single/red_hat_openshift_software_certification_policy_guide/index#assembly-requirements-for-container-images_openshift-sw-cert-policy-introduction",
                "check_url": "https://access.redhat.com/documentation/en-us/red_hat_software_certification/2024/html-single/red_hat_openshift_software_certification_policy_guide/index#assembly-requirements-for-container-images_openshift-sw-cert-policy-introduction"
            }
        ],
        "errors": []
    }
}

But it can easily fixed by adding USER mysql:

Run make preflight-image-submit
/home/runner/work/mariadb-enterprise-server-docker/mariadb-enterprise-server-docker/bin/preflight check container mariadbmmontes/mariadb:11.4-ubi\
	--submit \
	--pyxis-api-token=*** \
	--certification-project-id=***\
	--docker-config /home/runner/.docker/config.json  
time="2024-07-03T13:32:02Z" level=info msg="certification library version" version="1.9.4 <commit: 7abf1ac0cc2c9156a16557d532da5d365b662423>"
time="2024-07-03T13:32:03Z" level=info msg="running checks for mariadbmmontes/mariadb:11.4-ubi for platform amd64"
time="2024-07-03T13:32:04Z" level=info msg="target image" image="mariadbmmontes/mariadb:11.4-ubi"
time="2024-07-03T13:32:17Z" level=info msg="check completed" check=HasLicense result=PASSED
time="2024-07-03T13:32:17Z" level=info msg="check completed" check=HasUniqueTag result=PASSED
time="2024-07-03T13:32:17Z" level=info msg="check completed" check=LayerCountAcceptable result=PASSED
time="2024-07-03T13:32:17Z" level=info msg="check completed" check=HasNoProhibitedPackages result=PASSED
time="2024-07-03T13:32:17Z" level=info msg="check completed" check=HasRequiredLabel result=PASSED
time="2024-07-03T13:32:17Z" level=info msg="USER mysql specified that is non-root"
time="2024-07-03T13:32:17Z" level=info msg="check completed" check=RunAsNonRoot result=PASSED
time="2024-07-03T13:32:26Z" level=info msg="check completed" check=HasModifiedFiles result=PASSED
time="2024-07-03T13:32:27Z" level=info msg="check completed" check=BasedOnUbi result=PASSED
time="2024-07-03T13:32:27Z" level=info msg="This image's tag 11.4-ubi will be paired with digest sha256:929c790b1f2fe6b33[8](https://github.com/mariadb-corporation/mariadb-enterprise-server-docker/actions/runs/9778853851/job/26996634761#step:3:9)dbf47a1ee6548f206809402de02e25c20aaeed287d94b3 once this image has been published in accordance with Red Hat Certification policy. You may then add or remove any supplemental tags through your Red Hat Connect portal as you see fit."
{
    "image": "mariadbmmontes/mariadb:11.4-ubi",
    "passed": true,
    "test_library": {
        "name": "github.com/redhat-openshift-ecosystem/openshift-preflight",
        "version": "1.[9](https://github.com/mariadb-corporation/mariadb-enterprise-server-docker/actions/runs/9778853851/job/26996634761#step:3:10).4",
        "commit": "7abf1ac0cc2c9156a16557d532da5d365b662423"
    },
    "results": {
        "passed": [
            {
                "name": "HasLicense",
                "elapsed_time": 0,
                "description": "Checking if terms and conditions applicable to the software including open source licensing information are present. The license must be at /licenses"
            },
            {
                "name": "HasUniqueTag",
                "elapsed_time": 0,
                "description": "Checking if container has a tag other than 'latest', so that the image can be uniquely identified."
            },
            {
                "name": "LayerCountAcceptable",
                "elapsed_time": 0,
                "description": "Checking if container has less than 40 layers.  Too many layers within the container images can degrade container performance."
            },
            {
                "name": "HasNoProhibitedPackages",
                "elapsed_time": 68,
                "description": "Checks to ensure that the image in use does not include prohibited packages, such as Red Hat Enterprise Linux (RHEL) kernel packages."
            },
            {
                "name": "HasRequiredLabel",
                "elapsed_time": 0,
time="2024-07-03T13:32:27Z" level=info msg="preparing results that will be submitted to Red Hat"
                "description": "Checking if the required labels (name, vendor, version, release, summary, description) are present in the container metadata."
            },
            {
                "name": "RunAsNonRoot",
                "elapsed_time": 0,
                "description": "Checking if container runs as the root user because a container that does not specify a non-root user will fail the automatic certification, and will be subject to a manual review before the container can be approved for publication"
            },
            {
                "name": "HasModifiedFiles",
                "elapsed_time": 8648,
                "description": "Checks that no files installed via RPM in the base Red Hat layer have been modified"
            },
            {
                "name": "BasedOnUbi",
                "elapsed_time": 1322,
                "description": "Checking if the container's base image is based upon the Red Hat Universal Base Image (UBI)"
            }
        ],
        "failed": [],
        "errors": []
    }
}
time="2024-07-03T13:32:35Z" level=info msg="Test results have been submitted to Red Hat."
time="2024-07-03T13:32:35Z" level=info msg="These results will be reviewed by Red Hat for final certification."
time="2024-07-03T13:32:35Z" level=info msg="The container's image id is: 668552eee45daa25e3771a3d."
time="2024-07-03T13:32:35Z" level=info msg="Please check https://connect.redhat.com/projects/6663409ad61a[11](https://github.com/mariadb-corporation/mariadb-enterprise-server-docker/actions/runs/9778853851/job/26996634761#step:3:12)fcb8a08e8c/images/668552eee45daa25e3771a3d/scan-results to view scan results."
time="2024-07-03T[13](https://github.com/mariadb-corporation/mariadb-enterprise-server-docker/actions/runs/9778853851/job/26996634761#step:3:14):32:35Z" level=info msg="Please check https://connect.redhat.com/projects/6663409ad61a11fcb8a08e8c/overview to monitor the progress."
time="2024-07-03T13:32:35Z" level=info msg="Preflight result: PASSED"

@mmontes11 mmontes11 changed the title Specify "mysql" as container user Specify mysql as container user Jul 3, 2024
@grooverdan
Copy link
Member

Can't really: https://mariadb.com/kb/en/docker-official-image-frequently-asked-questions/#why-does-the-mariadb-container-start-as-root

See #461

Certification provides the option "Indicate that the container requires privileged host-level access in the certification project settings. This setting is subject to Red Hat review."

While k8s provides init containers, the base container as a singleton can't.

Note: "Red Hat" - always two words.

@grooverdan
Copy link
Member

@tianon @yosifkit,

@mmontes11 is right, named volumes get permissions of USER from ~3 years ago at least - containers/podman#10776. Think its fair to add USER and/or remove the gosu exec dance?

A reworking of the test from #461 (which failed due to a second mounting problem fixed in v5.1.0):

$ podman volume rm us
us
$ podman volume create us
us
$ cd /tmp
$ mkdir b
$ cd b
$ vi Dockerfile
$ cat Dockerfile 
FROM ubuntu:22.04

# Create user and group
RUN groupadd -g 2000 dailyprophet
RUN useradd -u 2001 -g 2000 dailyprophet

# Set ownership of the mysql directory
RUN mkdir -p /test && chown -R dailyprophet:dailyprophet /test

USER dailyprophet

VOLUME /test
(base) 
/tmp/b 
$ buildah bud --tag dailyprofit .
STEP 1/6: FROM ubuntu:22.04
Trying to pull docker.io/library/ubuntu:22.04...
Getting image source signatures
Copying blob 3713021b0277 done   | 
Copying config 8a3cdc4d1a done   | 
Writing manifest to image destination
STEP 2/6: RUN groupadd -g 2000 dailyprophet
--> e3c3b9e578cf
STEP 3/6: RUN useradd -u 2001 -g 2000 dailyprophet
--> 4e5aa92ed8c6
STEP 4/6: RUN mkdir -p /test && chown -R dailyprophet:dailyprophet /test
--> f368d0e6f2ee
STEP 5/6: USER dailyprophet
--> 9e9235a0bd84
STEP 6/6: VOLUME /test
COMMIT dailyprofit
--> 8c6f295a3d36
Successfully tagged localhost/dailyprofit:latest
8c6f295a3d364b3e1c77a41c43bdea3a5756c60db2c3836c7b90c27e211a9e9b
$ podman run --rm dailyprofit ls -la /test
total 12
drwxr-xr-x. 2 dailyprophet dailyprophet 4096 Jul  4 08:59 .
dr-xr-xr-x. 1 root         root         4096 Jul  4 09:00 ..
$ podman run --rm -v us:/test  dailyprofit ls -la /test
total 12
drwxr-xr-x. 2 dailyprophet dailyprophet 4096 Jul  4 08:59 .
dr-xr-xr-x. 1 root         root         4096 Jul  4 09:00 ..
$ podman run --rm -v us:/test  dailyprofit  touch /test/make_a_file.txt
$ podman --version
podman version 5.1.1
$ podman run --rm -v us:/test  dailyprofit ls -la /test
total 12
drwxr-xr-x. 2 dailyprophet dailyprophet 4096 Jul  4 09:01 .
dr-xr-xr-x. 1 root         root         4096 Jul  4 09:03 ..
-rw-r--r--. 1 dailyprophet dailyprophet    0 Jul  4 09:01 make_a_file.txt

@mmontes11
Copy link
Contributor Author

mmontes11 commented Jul 4, 2024

Think its fair to add USER and/or remove the gosu exec dance?

That would be ideal, yes, but it might not be a trivial refactor. The USER statement would work regardless having the gosu dance or not. I leave it up to you 😄

@tianon
Copy link
Contributor

tianon commented Jul 9, 2024

That might work for podman, but doesn't work for Docker:

$ docker run -it --rm --user 1000:1000 --volume foo:/foo bash ls -ld /foo
drwxr-xr-x    2 root     root          4096 Jul  9 18:37 /foo

@tianon
Copy link
Contributor

tianon commented Jul 9, 2024

You could set USER by default and let users who need to tip the "security vs usability" teeter-totter back in the other direction explicitly run as root (such that the container can then adjust/fixup permissions automatically, like it does now, especially for bind mounts where image permission propagation doesn't ever happen), but then you've got to manage the breaking change / expectations / communications with your users. 🙈

@grooverdan
Copy link
Member

merged c52e778.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants