You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is a common good practice for Docker/Kubernetes to create a user who is not root to run the main process of the container of course, but it is also a good practice to make the user member of the root group (which provides not special rights by itself and is not a security issue).
By default, OpenShift Enterprise runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions.
Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:
RUN chgrp -R 0 /some/directory && chmod -R g+rwX /some/directory
The text was updated successfully, but these errors were encountered:
It is a common good practice for Docker/Kubernetes to create a user who is not
rootto run the main process of the container of course, but it is also a good practice to make the user member of therootgroup (which provides not special rights by itself and is not a security issue).This is especially true when running containers in OpenShift. Please see the OpenShift official guidelines:
The text was updated successfully, but these errors were encountered: