Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update shell-image to current gcr.io/distroless/base:debug-nonroot SHA #3048

Closed
skaegi opened this issue Aug 3, 2020 · 10 comments
Closed

Update shell-image to current gcr.io/distroless/base:debug-nonroot SHA #3048

skaegi opened this issue Aug 3, 2020 · 10 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@skaegi
Copy link
Contributor

skaegi commented Aug 3, 2020

In #2999 I updated to the latest gcr.io/distroless/base:debug
... it should have been to the latest gcr.io/distroless/base:debug-nonroot
@skaegi skaegi added the kind/bug Categorizes issue or PR as related to a bug. label Aug 3, 2020
@dlorenc
Copy link
Contributor

dlorenc commented Aug 5, 2020

Will this cause any trouble like we just saw with the pr init container? #3055

@vdemeester
Copy link
Member

@dlorenc #3002 legit failure tends to agree with you 😉

@vdemeester vdemeester mentioned this issue Aug 17, 2020
Merged
4 tasks
@vdemeester
Copy link
Member

So we are running in a pickle. If we start running the internal "containers" as user (with the non-root images), we are running into trouble as soon as user run their task as root. The pull-request failure in v0.15.0 is a good example for that.

Using gcr.io/distroless/base:debug-nonroot causes legit failure (on the CI as #3002 shown before I removed that part of the change). There is a bigger story to discuss and fix here than just switching to those images.

  • If we are running internal containers as user, the user containers should also run as user. Overall we should try to aim for this.
  • If the user want / need to run containers as root, then we need to run our internal containers as root too, otherwise, we end up with a broken behavior.
  • Platform like OpenShift do some magic to run all as random uid by default. The explicit non-root approach lead sometimes to weird behavior on this platform (because it forces a uid).

This means :

  • we need to recommend user to run their containers as user (and on the catalog too)
  • we may want to have an option to let the user be explicit if they want to run tasks as user or root (and maybe have some default)

I think this will need a TEP 🙃

@ghost
Copy link

ghost commented Aug 17, 2020

+1 to a TEP.

Similarly connected is the problem of home directories for those users. I think any requirement or docs around the UID of Steps also has to take into consideration the $HOME directory of those UIDs. This typically means having an entry in /etc/passwd which a loooooot of images do not offer by default for any non-root users. I think OpenShift generates these entries (part of the magic)?

@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 15, 2020
@vdemeester
Copy link
Member

/remove-lifecycle stale

@tekton-robot tekton-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 16, 2020
@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 14, 2021
@tekton-robot
Copy link
Collaborator

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 16, 2021
@tekton-robot
Copy link
Collaborator

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

@tekton-robot
Copy link
Collaborator

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vdemeester @skaegi @dlorenc @tekton-robot