lunny/helm-chart
1
0
Fork 1
Code Issues 36 Pull Requests 14 Actions Packages Projects Releases 93 Wiki Activity

Add support to run gitea with an optional securityContext #115

Merged
martencassel merged 1 commits from set_securitycontext into master 2021-03-01 12:16:49 +00:00
Conversation 12 Commits 1 Files Changed 1 -2
martencassel commented 2021-02-19 14:48:21 +00:00 (Migrated from gitea.com)
Copy Link

Add the option to initialize and run gitea with a securityContext.

Add the option to initialize and run gitea with a securityContext.
👍 2
Dunky13 commented 2021-02-22 15:15:21 +00:00 (Migrated from gitea.com)
Copy Link

Yes, but I find that when running with the following context:

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000

The init container fails with the following error: init su: must be suid to work properly

Yes, but I find that when running with the following context: ``` securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 ``` The init container fails with the following error: `init su: must be suid to work properly`
Dunky13 commented 2021-02-23 14:30:00 +00:00 (Migrated from gitea.com)
Copy Link

What I found when trying this PR, is that Gitea required to run root (#120) on only from 1.14 rootless will be available, and only then this will work, as the current image requires root access

What I found when trying this PR, is that Gitea required to run root (#120) on only from 1.14 rootless will be available, and only then this will work, as the current image requires root access
luhahn commented 2021-02-23 15:55:22 +00:00 (Migrated from gitea.com)
Copy Link

Thanks for your PR i will check on this once 1.14 is the default image :)

Thanks for your PR i will check on this once 1.14 is the default image :)
martencassel commented 2021-02-23 16:26:53 +00:00 (Migrated from gitea.com)
Copy Link

We would like to run gitea as a specific uid in order to access NFS data via kerberos. I don't know if setting the uid is possible in the rootless work that is coming up.

https://github.com/go-gitea/gitea/issues/14780

We would like to run gitea as a specific uid in order to access NFS data via kerberos. I don't know if setting the uid is possible in the rootless work that is coming up. https://github.com/go-gitea/gitea/issues/14780
luhahn (Migrated from gitea.com) approved these changes 2021-02-24 08:43:04 +00:00
luhahn (Migrated from gitea.com) left a comment
Copy Link

Did not have a closer look into this issue yesterday sorry.

Of course we can merge this PR prior to 1.14 since it only adds the possibility to set a security context.

Did not have a closer look into this issue yesterday sorry. Of course we can merge this PR prior to 1.14 since it only adds the possibility to set a security context.
lafriks (Migrated from gitea.com) approved these changes 2021-03-01 12:16:14 +00:00
Starefossen commented 2021-03-03 08:45:42 +00:00 (Migrated from gitea.com)
Copy Link

I was hoping to improve the security for my Gitea installation with this. Unfortunately when setting the example as @Dunky13 posted I get the following error from the gitea container iteself (init is fine):

s6-svscan: fatal: unable to mkfifo .s6-svscan/control: Permission denied
I was hoping to improve the security for my Gitea installation with this. Unfortunately when setting the example as @Dunky13 posted I get the following error from the gitea container iteself (init is fine): ``` s6-svscan: fatal: unable to mkfifo .s6-svscan/control: Permission denied ```
Dunky13 commented 2021-03-03 08:52:18 +00:00 (Migrated from gitea.com)
Copy Link

I was hoping to improve the security for my Gitea installation with this. Unfortunately when setting the example as @Dunky13 posted I get the following error from the gitea container iteself (init is fine):

s6-svscan: fatal: unable to mkfifo .s6-svscan/control: Permission denied

https://gitea.com/gitea/helm-chart/pulls/115#issuecomment-313716
The security context doesn't work (yet), since it will be released in Gitea 1.14 - we are currently in 1.13. So waiting for the "rootless" release. The security context can only work when gitea doesn't require root access, as it does now

> I was hoping to improve the security for my Gitea installation with this. Unfortunately when setting the example as @Dunky13 posted I get the following error from the gitea container iteself (init is fine): > > ``` > s6-svscan: fatal: unable to mkfifo .s6-svscan/control: Permission denied > ``` > https://gitea.com/gitea/helm-chart/pulls/115#issuecomment-313716 The security context doesn't work (yet), since it will be released in Gitea 1.14 - we are currently in 1.13. So waiting for the "rootless" release. The security context can only work when gitea doesn't require root access, as it does now
Starefossen commented 2021-03-03 10:17:58 +00:00 (Migrated from gitea.com)
Copy Link

Yeah, realised it after I posted. A few things have changed with 1.14 so this might be a challenge for those who are using the Helm Chart I guess. Seams to have latest mostly working now on my setup.

Yeah, realised it after I posted. A few things have changed with 1.14 so this might be a challenge for those who are using the Helm Chart I guess. Seams to have `latest` mostly working now on my setup.
Starefossen commented 2021-03-03 10:25:06 +00:00 (Migrated from gitea.com)
Copy Link

@Dunky13 just tested with latest-rootless which is v1.14-dev, it failed with the error you posted. Wondering if securityContext should also be applied to the init container as well?

@Dunky13 just tested with `latest-rootless` which is v1.14-dev, it failed with the error you posted. Wondering if `securityContext` should also be applied to the init container as well?
Dunky13 commented 2021-03-03 11:51:50 +00:00 (Migrated from gitea.com)
Copy Link

@Starefossen I am not sure, haven't tested with rootless, as in the context I'm working in, I need a steady version number. Could possibly be the case. But would require some testing on a cluster either you, or if @luhahn has time & energy to put in that effort?

@Starefossen I am not sure, haven't tested with rootless, as in the context I'm working in, I need a steady version number. Could possibly be the case. But would require some testing on a cluster either you, or if @luhahn has time & energy to put in that effort?
Starefossen commented 2021-03-03 14:12:30 +00:00 (Migrated from gitea.com)
Copy Link

Ok, so the problem is init.yaml#L25:

su git -c ' \
Ok, so the problem is [init.yaml#L25](https://gitea.com/gitea/helm-chart/src/branch/master/templates/gitea/init.yaml#L25): ``` su git -c ' \ ```
Sign in to join this conversation.
Reviewers
No Reviewers
luhahn
lafriks
Labels
Clear labels
has/backport
in progress
invalid
kind/breaking
kind/bug
kind/build
kind/dependency
kind/deployment
kind/docs
kind/enhancement
kind/feature
kind/lint
kind/proposal
kind/question
kind/refactor
kind/security
kind/testing
kind/translation
kind/ui
need/backport
priority/critical
priority/low
priority/maybe
priority/medium
reviewed/duplicate
reviewed/invalid
reviewed/wontfix
skip-changelog
status/blocked
status/needs-feedback
status/needs-reviews
status/wip
upstream/gitea
upstream/other
No Label
kind/enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
lunny
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: lunny/helm-chart#115
No description provided.
Delete Branch "set_securitycontext"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?