Make image.rootless default to true to avoid chroot limit #432

New Issue

Closed

opened 2023-04-10 15:06:04 +00:00 by wxiaoguang · 6 comments

wxiaoguang commented 2023-04-10 15:06:04 +00:00 (Migrated from gitea.com)

Copy Link

It seems that some containers have limitations for chroot (SYS_CHROOT capability)

Users have to manually to make the containers support SYS_CHROOT, which is not a well-known knowledge.

I guess if make image.rootless default to true, there won't be any chroot problem any more?

It seems that some containers have limitations for `chroot` (SYS_CHROOT capability) Users have to manually to make the containers support SYS_CHROOT, which is not a well-known knowledge. I guess if make `image.rootless` default to true, there won't be any chroot problem any more?

pat-s commented 2023-04-10 20:56:27 +00:00 (Migrated from gitea.com)

Copy Link

I guess we could do it without causing major issues for existing setups. Using a rootless image is better anyhow.

A common environment in which this is anyhow required is Openshift.

@justusbunsi What is your opinion?

I guess we could do it without causing major issues for existing setups. Using a rootless image is better anyhow. A common environment in which this is anyhow required is Openshift. @justusbunsi What is your opinion?

justusbunsi commented 2023-04-10 21:10:19 +00:00 (Migrated from gitea.com)

Copy Link

Hm. It would definitely be a breaking change from a chart point of view and it seems there are necessary changes to be done beforehand (#396). Rootless images are for sure preferred over root-based ones. So I have nothing against such switch in a long run.

Hm. It would definitely be a breaking change from a chart point of view and it seems there are necessary changes to be done beforehand (#396). Rootless images are for sure preferred over root-based ones. So I have nothing against such switch in a long run.

justusbunsi commented 2023-04-10 21:11:45 +00:00 (Migrated from gitea.com)

Copy Link

As an alternative to making it default, we could add explicit security capabilities for the rootless image.

As an alternative to making it default, we could add explicit security capabilities for the rootless image.

justusbunsi commented 2023-04-10 21:17:15 +00:00 (Migrated from gitea.com)

Copy Link

From a ssh perspective: are existing openssh generated server keys compatible with the built-in ssh server from rootless image? If not this would be an issue.

From a ssh perspective: are existing openssh generated server keys compatible with the built-in ssh server from rootless image? If not this would be an issue.

pat-s commented 2023-04-11 21:47:50 +00:00 (Migrated from gitea.com)

Copy Link

Hm. It would definitely be a breaking change from a chart point of view and it seems there are necessary changes to be done beforehand (#396). Rootless images are for sure preferred over root-based ones. So I have nothing against such switch in a long run.

Good catch. Though arguably openshift is a special case (always) and I am not so sure if supporting it unconditionally would/should be the goal of all default chart settings. I think on a "normal" k8s there would probably be no issues.

From a ssh perspective: are existing openssh generated server keys compatible with the built-in ssh server from rootless image? If not this would be an issue.

I remember having switched from root to rootless at some time in our instance without facing any SSH related issues. So I'd say they're compatible.

As an alternative to making it default, we could add explicit security capabilities for the rootless image.

That would probably be good regardless of the switch to rootless.

> Hm. It would definitely be a breaking change from a chart point of view and it seems there are necessary changes to be done beforehand (#396). Rootless images are for sure preferred over root-based ones. So I have nothing against such switch in a long run. Good catch. Though arguably openshift is a special case (always) and I am not so sure if supporting it unconditionally would/should be the goal of all default chart settings. I think on a "normal" k8s there would probably be no issues. > From a ssh perspective: are existing openssh generated server keys compatible with the built-in ssh server from rootless image? If not this would be an issue. I remember having switched from root to rootless at some time in our instance without facing any SSH related issues. So I'd say they're compatible. > As an alternative to making it default, we could add explicit security capabilities for the rootless image. That would probably be good regardless of the switch to rootless.

pat-s commented 2023-05-28 16:34:16 +00:00 (Migrated from gitea.com)

Copy Link

From a ssh perspective: are existing openssh generated server keys compatible with the built-in ssh server from rootless image? If not this would be an issue.

I thought about this again. I assume that if this would be an issue, we would have heard of it in the main repo already as presumably many people already switched from rootfull to rootless since the existence of the rootless variant.

In addition, the change will be listed in the changelog and they can still go back to the rootfull image to continue like before.

Hence I'd say we can switch - I'll prepare a PR.

> From a ssh perspective: are existing openssh generated server keys compatible with the built-in ssh server from rootless image? If not this would be an issue. I thought about this again. I assume that if this would be an issue, we would have heard of it in the main repo already as presumably many people already switched from rootfull to rootless since the existence of the rootless variant. In addition, the change will be listed in the changelog and they can still go back to the rootfull image to continue like before. Hence I'd say we can switch - I'll prepare a PR.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

No results found.

v10.6.0

v10.5.0

v10.4.1

v10.4.0

v10.3.0

v10.2.0

v10.1.4

v10.1.3

v10.1.2

v10.1.1

v10.1.0

v10.0.2

v10.0.1

v10.0.0

v9.6.1

v9.6.0

v9.5.1

v9.5.0

v9.4.0

v9.3.0

v9.2.1

v9.2.0

v9.1.0

v9.0.4

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.3.0

v8.2.0

v8.1.0

v8.0.3

v8.0.2

v8.0.1

v8.0.0

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.1.1

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.0

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

Labels

Clear labels

has/backport

in progress

invalid

kind/breaking

kind/bug

kind/build

kind/dependency

kind/deployment

kind/docs

kind/enhancement

kind/feature

kind/lint

kind/proposal

kind/question

kind/refactor

kind/security

kind/testing

kind/translation

kind/ui

need/backport

priority/critical

priority/low

priority/maybe

priority/medium

reviewed/duplicate

reviewed/invalid

reviewed/wontfix

skip-changelog

status/blocked

status/needs-feedback

status/needs-reviews

status/wip

upstream/gitea

upstream/other

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lunny/helm-chart#432

No description provided.