Re: [atomic-devel] Oneway - a way to drop privileges inside containers a

Re: [atomic-devel] Oneway - a way to drop privileges inside containers and lock it like that

From: Daniel J Walsh <dwalsh redhat com>

To: Muayyad AlSadi <alsadi gmail com>, atomic-devel <atomic-devel projectatomic io>

Subject: Re: [atomic-devel] Oneway - a way to drop privileges inside containers and lock it like that

Date: Tue, 6 Sep 2016 14:22:15 -0400

On 09/06/2016 02:16 PM, Muayyad AlSadi wrote:

I only want two processes

confd and my application (apache or php-fpm or node . or uwsgi ...)

The role of confd is to watch etcd/consul and update config when needed.

I guess systemd is overkill for such simple thing (I don't want ttys, crons, dbus, journald....)

systemd in a container would just run journald as well as systemd, not much more unless you tell it to.
Having journald would allow you to catch messages that httpd writes to syslog, but fine.

Apache is a well-established and it have a way to drop privileges but this is not the case with "node ."

I'm not sure about k8s no new priv.
Ex. I want confd as root and node as app.

I guess apache does not have nnp option.

On Tue, Sep 6, 2016, 9:05 PM Daniel J Walsh <dwalsh redhat com> wrote:

A couple of things. 1 you could use real systemd rather then using some
other init system.

Secondly and perhaps conflicting, is why not run apache as non root to
start rather then dropping

privs. Apache will run perfectly fine without requiring root privs.
Also you could set the NO_NEW_PRIVS

right in docker/k8s.

On 09/06/2016 01:46 PM, Muayyad AlSadi wrote:
>
> Hi,
>
> Typical fictional unicorn containers should have one process
>
> On practice it's actually processes of one concern ex. Apache
>
> One issue is that your entry point /start.sh should exec to replace
> the shell (so that application process would recieve signals)
>
> Since start.sh is pid 1 it has the responsibility to handle zombies.
> For this we can use yelp's dumb-init (which is almost to be pushed to
> official repo and already in copr)
>
> https://github.com/Yelp/dumb-init
>
> Typically our start.sh start confd in background using nohup
>
> Then I exec my application but I would like to drop privileges, first
> I used exec sudo or exec su but it wont replace the proces.
>
> I wrote a simple application that drop groups , supplementary groups
> and user
>
> Not only that but also it can optionally set
> PR_SET_NO_NEW_PRIVS with prctl
> So that it will never get more privileges even with sudo/su.
>
> What do you think?
>
> https://github.com/muayyad-alsadi/oneway/blob/master/README.md
>

Date Prev

Date Next

Thread Prev

Thread Next

Thread Index

Date Index

Author Index