Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Domino Docker Project update -- OpenShift support & Podman+Docker+K8s support for "arbitrarily assigned user ID"

Daniel Nashed  15 March 2020 11:49:55


A couple of days ago I got the request from Daniele Vistalli, a fellow HCL Master, that he needs support to run Domino on Kubernetes (K8s) with a so called "arbitrarily assigned user ID".
He and the team around him are doing incredible work to finalize Factor-y's MSP offering which included Domino on K8s as part of their platform.
Running with distinct UIDs is an important security aspect, when offering cloud services separating data between containers -- and even more important tenants.

On OpenShift the concept of a "arbitrarily assigned user ID" is a strong requirements for images to run. They assign a new UID for the container to run for security best practices.
In general a container is quite safe already without it. But to reduce exposure to potential security issues, they don't only forbid to run a container with root but also assign an unique UID to each container on the fly.

Quote from a RedHat technote:
"When OpenShift starts a container, it uses an arbitrarily assigned user ID.
This feature helps to ensure that if an application from within a container manages to break out to the host,
it won’t be able to interact with other processes and containers owned by other users, in other projects."
(1)

K8s doesn't have this strong requirement. But in Docker and K8s you can specify a UID manually when the container is initiated.
On Docker the command line option is e.g. --user 1234. And there is a K8s equivalent.
But this will cause issues with "whoami" and other code trying to figure out about the user.
So we had to add code to modify the /etc/passwd in a safe way (application runs with root permissions having the sticky bit set -- like bindsock does).

OpenShift and also Podman in current versions automatically modify /etc/passwd and add the UID with it's numeric value as a user like this:

notes:x:1000:1000::/home/notes:/bin/bash
1025570000:x:1025570000:0:1025570000 user:/:/sbin/nologin

"The OpenShift run-time CRI-O (starting from OpenShift 4.2 onward) now inserts the random user for the container into /etc/passwd." (1)

So for OpenShift and also when you use Podman (which also used CRI-O) the platform already takes care of adding the UID into /etc/passwd.

For older versions and also for Docker/K8s, the work-around is to modify the "notes" user in /etc/passwd with the group 0.
Podman is also using CRI-O and works similar to current OpenShift also adding the UID to /etc/passwd.

So depending on the container platform there are different approaches.
I have tested the the different images for CentOS 7 and RedHat UBI 8 on all the platforms. And it looks good so far.
The changes are checked into the development tree --> https://github.com/IBM/domino-docker/tree/develop

Beside those changes I also moved all the scripts into a central location /domino-docker/scripts and made sure only root has write permissions to this folder.
This is also the preparation for future extensibility, that partners can have their own hook points to be executed for example during server configuration or startup.

If you want to get your hands on OpenShift, there is a free 30 days trial offering directly from RedHat --> https://manage.openshift.com.
You are up and running in minutes and it has a very clean graphical interface and provides the "oc" command line, which offers all the K8s commands.


-- Daniel


(1) Reference: https://access.redhat.com/articles/4859371

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]