Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHOAIENG-72: Specify numeric UID in Dockerfiles #348

Merged
merged 1 commit into from
Jun 19, 2024
Merged

RHOAIENG-72: Specify numeric UID in Dockerfiles #348

merged 1 commit into from
Jun 19, 2024

Conversation

jiridanek
Copy link
Member

@jiridanek jiridanek commented Jun 14, 2024
edited
Loading

https://issues.redhat.com/browse/RHOAIENG-72

This resolves the

Error: container has runAsNonRoot and image has non-numeric user (rhods), cannot verify user is non-root

issue.

OpenShift (by default)
runs images under a random user id and the root user group.

See https://access.redhat.com/documentation/cn/openshift_container_platform/4.15/html/images/creating-images#use-uid_create-images

Description

How Has This Been Tested?

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

@jiridanek
RHOAIENG-72: Specify numeric UID in Dockerfiles
f51ed22 
This resolves the

```
Error: container has runAsNonRoot and image has non-numeric user (rhods), cannot verify user is non-root
```

issue.

OpenShift (by default)
runs images under a random user id and the root user group.

See https://access.redhat.com/documentation/cn/openshift_container_platform/4.15/html/images/creating-images#use-uid_create-images
@openshift-ci openshift-ci bot requested review from atheo89 and caponetto June 14, 2024 13:10
@atheo89
Copy link
Member

atheo89 commented Jun 14, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jun 14, 2024
jstourac
jstourac reviewed Jun 14, 2024
View reviewed changes
components/notebook-controller/Dockerfile
@@ -57,6 +57,6 @@ COPY --from=builder /workspace/notebook-controller/bin/manager /manager
COPY --from=builder /workspace/notebook-controller/third_party/license.txt third_party/license.txt

## Switch to a non-root user
USER rhods
USER 1001:0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the reason to include also GID here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenShift default is to set random uid and 0 gid, https://access.redhat.com/documentation/cn/openshift_container_platform/4.15/html/images/creating-images#use-uid_create-images

I feel like we should keep close to that

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I read this link before, since you have it in the description... so I probably missed something here.
My point is - why setting also GID here as it is 0 by default anyway. From your answer, I understand that it's just a precaution, correct?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly.

@jstourac
Copy link
Member

FTR https://issues.redhat.com/browse/RHOAIENG-72

@jiridanek jiridanek requested a review from harshad16 June 18, 2024 09:11
@atheo89
Copy link
Member

atheo89 commented Jun 19, 2024

thanks for your patience waiting for approval!
/approve

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jun 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: atheo89, jstourac

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jiridanek
Copy link
Member Author

Thanks!

@jiridanek
Copy link
Member Author

/retest

1 similar comment
@jiridanek
Copy link
Member Author

/retest

@openshift-merge-bot openshift-merge-bot bot merged commit 35b81f5 into opendatahub-io:v1.7-branch Jun 19, 2024
11 checks passed
@harshad16
Copy link
Member

/cherrypick stable

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Jun 21, 2024
Merged
@openshift-cherrypick-robot
Copy link

@harshad16: new pull request created: #356

In response to this:

/cherrypick stable

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@jiridanek jiridanek deleted the jd_rhoaieng-72 branch June 26, 2024 09:33
@jiridanek jiridanek mentioned this pull request Jun 30, 2024
Merged
@jiridanek jiridanek mentioned this pull request Jan 13, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jstourac jstourac jstourac approved these changes

@atheo89 atheo89 Awaiting requested review from atheo89

@caponetto caponetto Awaiting requested review from caponetto

@harshad16 harshad16 Awaiting requested review from harshad16

Assignees

@jstourac jstourac

@atheo89 atheo89

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jiridanek @atheo89 @jstourac @harshad16 @openshift-cherrypick-robot