[Bug] Enhanced security-context in runtime environment not (fully) usable #158

New Issue

justusbunsi · 2021-05-14T15:32:33Z

justusbunsi commented

2021-05-14 15:32:33 +00:00

Hi,

today was security day for me. 😄 I tried to get the rootless container image up and running as secure as possible using the official helm chart. Therefore the full list of securityContext options were uncommented. Despite the database default, no other value of the chart was modified. Unfortunately, the setup doesn't quite work as expected. My results after several hours of experimenting with it:

Both images default and rootless are quite different but they both have issues with a strict securityContext. The current helm chart seems to be focused on the default one, since all it's scripts, paths, etc. are hard coded to /data/.... This works well for the default one but kind of breaks the logic of the rootless image. There are some small changes that could improve the stability of the helm chart, e.g use paths inside the container depending on the used image, ensure that filesystem permissions are properly set so that a container - not allowing privilege escalation - does not interfere with the init scripts and Giteas functionality. At the moment Gitea cannot start due to missing write permissions on /data/gitea directory for the git user. This user is used in such a strict context.

~~My issue might be related to #155 but is not the same.~~

I'll provide a PR with my suggested changes when I have spotted all the tricky bits.

PS: There are some changes that needs to be made in Gitea itself to allow a readonly root filesystem. I opened an issue on Github.

Sum-up:
Both images work fine using /data with disabled securityContext options. When enabling these options the TMPDIR environment variable has to be changed from /tmp to another (sub-)directory since it's kind of restricted in a readOnlyRootFilesystem environment. Otherwise creating a repository does not work. There is a PR to fix this. The previously mentioned Github issue will add the TMPDIR environment variable set to /tmp/gitea in the rootless image as default value.

Hi, today was security day for me. :smile: I tried to get the rootless container image up and running as secure as possible using the official helm chart. Therefore the full list of `securityContext` options were uncommented. Despite the database default, no other value of the chart was modified. Unfortunately, the setup doesn't quite work as expected. My results after several hours of experimenting with it: Both images default and rootless are quite different but they both have issues with a strict `securityContext`. The current helm chart seems to be focused on the default one, since all it's scripts, paths, etc. are hard coded to `/data/...`. This works well for the default one but kind of breaks the logic of the rootless image. ~~There are some small changes that could improve the stability of the helm chart, e.g use paths inside the container depending on the used image, ensure that filesystem permissions are properly set so that a container - not allowing privilege escalation - does not interfere with the init scripts and Giteas functionality. At the moment Gitea cannot start due to missing write permissions on /data/gitea directory for the git user. This user is used in such a strict context.~~ ~~My issue might be related to #155 but is not the same.~~ I'll provide a PR with my suggested changes when I have spotted all the tricky bits. PS: There are some changes that needs to be made in Gitea itself to allow a readonly root filesystem. I opened an [issue on Github](https://github.com/go-gitea/gitea/issues/15875). --------- Sum-up: Both images work fine using `/data` with disabled `securityContext` options. When enabling these options the `TMPDIR` environment variable has to be changed from `/tmp` to another (sub-)directory since it's kind of restricted in a `readOnlyRootFilesystem` environment. Otherwise creating a repository does not work. There is a PR to fix this. The previously mentioned Github issue will add the `TMPDIR` environment variable set to `/tmp/gitea` in the rootless image as default value.

justusbunsi referenced a pull request that will close this issue

2021-05-15 17:59:18 +00:00

Fix rootless image usage with enhanced security-context #160

luhahn closed this issue

2021-06-07 13:27:26 +00:00

luhahn referenced this issue from a commit

2021-06-07 13:27:26 +00:00

Fix rootless image usage with enhanced security-context (#160)

Sign in to join this conversation.