[Bug] Enhanced security-context in runtime environment not (fully) usable #158
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/helm-chart#158
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hi,
today was security day for me. 😄 I tried to get the rootless container image up and running as secure as possible using the official helm chart. Therefore the full list of
securityContext
options were uncommented. Despite the database default, no other value of the chart was modified. Unfortunately, the setup doesn't quite work as expected. My results after several hours of experimenting with it:Both images default and rootless are quite different but they both have issues with a strict
securityContext
. The current helm chart seems to be focused on the default one, since all it's scripts, paths, etc. are hard coded to/data/...
. This works well for the default one but kind of breaks the logic of the rootless image.There are some small changes that could improve the stability of the helm chart, e.g use paths inside the container depending on the used image, ensure that filesystem permissions are properly set so that a container - not allowing privilege escalation - does not interfere with the init scripts and Giteas functionality. At the moment Gitea cannot start due to missing write permissions on /data/gitea directory for the git user. This user is used in such a strict context.My issue might be related to #155 but is not the same.I'll provide a PR with my suggested changes when I have spotted all the tricky bits.
PS: There are some changes that needs to be made in Gitea itself to allow a readonly root filesystem. I opened an issue on Github.
Sum-up:
Both images work fine using
/data
with disabledsecurityContext
options. When enabling these options theTMPDIR
environment variable has to be changed from/tmp
to another (sub-)directory since it's kind of restricted in areadOnlyRootFilesystem
environment. Otherwise creating a repository does not work. There is a PR to fix this. The previously mentioned Github issue will add theTMPDIR
environment variable set to/tmp/gitea
in the rootless image as default value.