lunny/helm-chart
1
0
Fork 1
Code Issues 36 Pull Requests 14 Actions Packages Projects Releases 93 Wiki Activity

[Bug] Enhanced security-context in runtime environment not (fully) usable #158

New Issue
Closed
opened 2021-05-14 15:32:33 +00:00 by justusbunsi · 0 comments
justusbunsi commented 2021-05-14 15:32:33 +00:00 (Migrated from gitea.com)
Copy Link

Hi,

today was security day for me. 😄 I tried to get the rootless container image up and running as secure as possible using the official helm chart. Therefore the full list of securityContext options were uncommented. Despite the database default, no other value of the chart was modified. Unfortunately, the setup doesn't quite work as expected. My results after several hours of experimenting with it:

Both images default and rootless are quite different but they both have issues with a strict securityContext. The current helm chart seems to be focused on the default one, since all it's scripts, paths, etc. are hard coded to /data/.... This works well for the default one but kind of breaks the logic of the rootless image. There are some small changes that could improve the stability of the helm chart, e.g use paths inside the container depending on the used image, ensure that filesystem permissions are properly set so that a container - not allowing privilege escalation - does not interfere with the init scripts and Giteas functionality. At the moment Gitea cannot start due to missing write permissions on /data/gitea directory for the git user. This user is used in such a strict context.

My issue might be related to #155 but is not the same.

I'll provide a PR with my suggested changes when I have spotted all the tricky bits.

PS: There are some changes that needs to be made in Gitea itself to allow a readonly root filesystem. I opened an issue on Github.

Sum-up:
Both images work fine using /data with disabled securityContext options. When enabling these options the TMPDIR environment variable has to be changed from /tmp to another (sub-)directory since it's kind of restricted in a readOnlyRootFilesystem environment. Otherwise creating a repository does not work. There is a PR to fix this. The previously mentioned Github issue will add the TMPDIR environment variable set to /tmp/gitea in the rootless image as default value.

Hi, today was security day for me. :smile: I tried to get the rootless container image up and running as secure as possible using the official helm chart. Therefore the full list of `securityContext` options were uncommented. Despite the database default, no other value of the chart was modified. Unfortunately, the setup doesn't quite work as expected. My results after several hours of experimenting with it: Both images default and rootless are quite different but they both have issues with a strict `securityContext`. The current helm chart seems to be focused on the default one, since all it's scripts, paths, etc. are hard coded to `/data/...`. This works well for the default one but kind of breaks the logic of the rootless image. ~~There are some small changes that could improve the stability of the helm chart, e.g use paths inside the container depending on the used image, ensure that filesystem permissions are properly set so that a container - not allowing privilege escalation - does not interfere with the init scripts and Giteas functionality. At the moment Gitea cannot start due to missing write permissions on /data/gitea directory for the git user. This user is used in such a strict context.~~ ~~My issue might be related to #155 but is not the same.~~ I'll provide a PR with my suggested changes when I have spotted all the tricky bits. PS: There are some changes that needs to be made in Gitea itself to allow a readonly root filesystem. I opened an [issue on Github](https://github.com/go-gitea/gitea/issues/15875). --------- Sum-up: Both images work fine using `/data` with disabled `securityContext` options. When enabling these options the `TMPDIR` environment variable has to be changed from `/tmp` to another (sub-)directory since it's kind of restricted in a `readOnlyRootFilesystem` environment. Otherwise creating a repository does not work. There is a PR to fix this. The previously mentioned Github issue will add the `TMPDIR` environment variable set to `/tmp/gitea` in the rootless image as default value.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
has/backport
in progress
invalid
kind/breaking
kind/bug
kind/build
kind/dependency
kind/deployment
kind/docs
kind/enhancement
kind/feature
kind/lint
kind/proposal
kind/question
kind/refactor
kind/security
kind/testing
kind/translation
kind/ui
need/backport
priority/critical
priority/low
priority/maybe
priority/medium
reviewed/duplicate
reviewed/invalid
reviewed/wontfix
skip-changelog
status/blocked
status/needs-feedback
status/needs-reviews
status/wip
upstream/gitea
upstream/other
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
lunny
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: lunny/helm-chart#158
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?