[Bug] Enhanced security-context in runtime environment not (fully) usable #158

New Issue

Closed

opened 2021-05-14 15:32:33 +00:00 by justusbunsi · 0 comments

justusbunsi commented 2021-05-14 15:32:33 +00:00 (Migrated from gitea.com)

Copy Link

Hi,

today was security day for me. 😄 I tried to get the rootless container image up and running as secure as possible using the official helm chart. Therefore the full list of securityContext options were uncommented. Despite the database default, no other value of the chart was modified. Unfortunately, the setup doesn't quite work as expected. My results after several hours of experimenting with it:

Both images default and rootless are quite different but they both have issues with a strict securityContext. The current helm chart seems to be focused on the default one, since all it's scripts, paths, etc. are hard coded to /data/.... This works well for the default one but kind of breaks the logic of the rootless image. There are some small changes that could improve the stability of the helm chart, e.g use paths inside the container depending on the used image, ensure that filesystem permissions are properly set so that a container - not allowing privilege escalation - does not interfere with the init scripts and Giteas functionality. At the moment Gitea cannot start due to missing write permissions on /data/gitea directory for the git user. This user is used in such a strict context.

My issue might be related to #155 but is not the same.

I'll provide a PR with my suggested changes when I have spotted all the tricky bits.

PS: There are some changes that needs to be made in Gitea itself to allow a readonly root filesystem. I opened an issue on Github.

---

Sum-up:
Both images work fine using /data with disabled securityContext options. When enabling these options the TMPDIR environment variable has to be changed from /tmp to another (sub-)directory since it's kind of restricted in a readOnlyRootFilesystem environment. Otherwise creating a repository does not work. There is a PR to fix this. The previously mentioned Github issue will add the TMPDIR environment variable set to /tmp/gitea in the rootless image as default value.

Hi, today was security day for me. :smile: I tried to get the rootless container image up and running as secure as possible using the official helm chart. Therefore the full list of `securityContext` options were uncommented. Despite the database default, no other value of the chart was modified. Unfortunately, the setup doesn't quite work as expected. My results after several hours of experimenting with it: Both images default and rootless are quite different but they both have issues with a strict `securityContext`. The current helm chart seems to be focused on the default one, since all it's scripts, paths, etc. are hard coded to `/data/...`. This works well for the default one but kind of breaks the logic of the rootless image. ~~There are some small changes that could improve the stability of the helm chart, e.g use paths inside the container depending on the used image, ensure that filesystem permissions are properly set so that a container - not allowing privilege escalation - does not interfere with the init scripts and Giteas functionality. At the moment Gitea cannot start due to missing write permissions on /data/gitea directory for the git user. This user is used in such a strict context.~~ ~~My issue might be related to #155 but is not the same.~~ I'll provide a PR with my suggested changes when I have spotted all the tricky bits. PS: There are some changes that needs to be made in Gitea itself to allow a readonly root filesystem. I opened an [issue on Github](https://github.com/go-gitea/gitea/issues/15875). --------- Sum-up: Both images work fine using `/data` with disabled `securityContext` options. When enabling these options the `TMPDIR` environment variable has to be changed from `/tmp` to another (sub-)directory since it's kind of restricted in a `readOnlyRootFilesystem` environment. Otherwise creating a repository does not work. There is a PR to fix this. The previously mentioned Github issue will add the `TMPDIR` environment variable set to `/tmp/gitea` in the rootless image as default value.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

No results found.

v10.6.0

v10.5.0

v10.4.1

v10.4.0

v10.3.0

v10.2.0

v10.1.4

v10.1.3

v10.1.2

v10.1.1

v10.1.0

v10.0.2

v10.0.1

v10.0.0

v9.6.1

v9.6.0

v9.5.1

v9.5.0

v9.4.0

v9.3.0

v9.2.1

v9.2.0

v9.1.0

v9.0.4

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.3.0

v8.2.0

v8.1.0

v8.0.3

v8.0.2

v8.0.1

v8.0.0

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.1.1

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.0

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

Labels

Clear labels

has/backport

in progress

invalid

kind/breaking

kind/bug

kind/build

kind/dependency

kind/deployment

kind/docs

kind/enhancement

kind/feature

kind/lint

kind/proposal

kind/question

kind/refactor

kind/security

kind/testing

kind/translation

kind/ui

need/backport

priority/critical

priority/low

priority/maybe

priority/medium

reviewed/duplicate

reviewed/invalid

reviewed/wontfix

skip-changelog

status/blocked

status/needs-feedback

status/needs-reviews

status/wip

upstream/gitea

upstream/other

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lunny/helm-chart#158

No description provided.