gitea/helm-chart
45
55
Fork 125
Code Issues 32 Pull Requests 8 Actions Releases 87 Activity

SSH not working due to container capability constraints. #161

New Issue
Closed
opened 2021-05-18 12:01:48 +00:00 by krist · 6 comments
krist commented 2021-05-18 12:01:48 +00:00
Copy Link

Gitea 1.31.2, Kubernets 1.21.1

TLDR;

I setup gitea 1.14.2 on a kubernetes 1.21.1 cluster, using the helm charts. Everything worked except for pushing to the repository using ssh.

I investigated this and found out that this was due to the default capabilities of the container runtime I use (cri-o) not permitting a container to execute a chroot.

The solution is to add the SYS_CHROOT capability to the pod. You can do this in the helm chart

securityContext:
  capabilities:
    add: ["SYS_CHROOT"]

Suggest adding this to the docs.

Gitea 1.31.2, Kubernets 1.21.1 TLDR; I setup gitea 1.14.2 on a kubernetes 1.21.1 cluster, using the helm charts. Everything worked except for pushing to the repository using ssh. I investigated this and found out that this was due to the default capabilities of the container runtime I use (cri-o) not permitting a container to execute a chroot. The solution is to add the SYS_CHROOT capability to the pod. You can do this in the helm chart ``` securityContext: capabilities: add: ["SYS_CHROOT"] ``` Suggest adding this to the docs.
volker.raschek commented 2021-06-12 14:15:00 +00:00
Contributor
Copy Link

@krist, I have also a problem with SSH on kubernetes in verion 1.14.2. Are the error messages equal? Otherwise I would create an additional issue.

$ LC_ALL=C git clone git@k8s-demo.internal:admin/test.git
Cloning into 'test'...
Connection reset by 192.168.179.217 port 22
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
@krist, I have also a problem with SSH on kubernetes in verion 1.14.2. Are the error messages equal? Otherwise I would create an additional issue. ``` $ LC_ALL=C git clone git@k8s-demo.internal:admin/test.git Cloning into 'test'... Connection reset by 192.168.179.217 port 22 fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ```
volker.raschek commented 2021-06-12 14:22:12 +00:00
Contributor
Copy Link

I've added the capability SYS_CHROOT and SSH work than fine.

I've added the capability `SYS_CHROOT` and SSH work than fine.
justusbunsi commented 2021-06-12 16:37:06 +00:00
Member
Copy Link

That's odd. I remember being able to push via SSH using 1.14.2. Will revalidate this.
Are you using root based or rootless image and how do you use SSH (built-in or passthrough)?

That's odd. I remember being able to push via SSH using 1.14.2. Will revalidate this. Are you using root based or rootless image and how do you use SSH (built-in or passthrough)?
volker.raschek commented 2021-06-12 16:48:41 +00:00
Contributor
Copy Link

Hi @justusbunsi,

Are you using root based or rootless image and how do you use SSH (built-in or passthrough)?

I use a gitea root based and the build-in ssh server.

Hi @justusbunsi, > Are you using root based or rootless image and how do you use SSH (built-in or passthrough)? I use a gitea root based and the build-in ssh server.
justusbunsi commented 2021-06-13 08:20:58 +00:00
Member
Copy Link

Oh. I missed the part regarding cri-o container runtime in the issue description. That's definitely a difference in my cluster (I am using containerd). @volker.raschek Do you use cri-o in your cluster, too? Or do you have this problem with another container runtime?

Usually, that's what the securitycontext is designed for. In case there is an issue with the cluster configuration in use, one can fix it by configuring the necessary options for the container in a pod.
If it "only" occurs with cri-o, the SYS_CHROOT capability shouldn't be set as default in the template because it is a security related change granting more permissions than needed for clusters without cri-o runtime. Instead it would be great to mention it in the README and/or in values file to give this caveat knowledge to the users.

Oh. I missed the part regarding cri-o container runtime in the issue description. That's definitely a difference in my cluster (I am using containerd). @volker.raschek Do you use cri-o in your cluster, too? Or do you have this problem with another container runtime? Usually, that's what the securitycontext is designed for. In case there is an issue with the cluster configuration in use, one can fix it by configuring the necessary options for the container in a pod. If it "only" occurs with cri-o, the `SYS_CHROOT` capability shouldn't be set as default in the template because it is a security related change granting more permissions than needed for clusters without cri-o runtime. Instead it would be great to mention it in the README and/or in values file to give this caveat knowledge to the users.
volker.raschek commented 2021-06-13 08:29:53 +00:00
Contributor
Copy Link

@justusbunsi Yes I use the cri-o runtime on all of my cluster nodes.

the SYS_CHROOT capability shouldn't be set as default in the template because it is a security related change granting more permissions than needed for clusters without cri-o runtime

This would be great. Maybe it make sense to add this lines into the values.yaml but only commented and described. This allows cio-o users to comment the line accordingly.

Additionally it make sense to describe it in the README.md.

I will adjust the commit again.

@justusbunsi Yes I use the cri-o runtime on all of my cluster nodes. > the SYS_CHROOT capability shouldn't be set as default in the template because it is a security related change granting more permissions than needed for clusters without cri-o runtime This would be great. Maybe it make sense to add this lines into the `values.yaml` but only commented and described. This allows cio-o users to comment the line accordingly. Additionally it make sense to describe it in the `README.md`. I will adjust the commit again.
justusbunsi added the
kind
docs
 label 2021-06-30 18:12:00 +00:00
justusbunsi added this to the Release 4.0.0 milestone 2021-06-30 18:12:06 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
quote-image-tag
app-ini-recreation
fix-env-to-ini
clean-app-ini
gitea-ha
v10.1.4
v10.1.3
v10.1.2
v10.1.1
v10.1.0
v10.0.2
v10.0.1
v10.0.0
v9.6.1
v9.6.0
v9.5.1
v9.5.0
v9.4.0
v9.3.0
v9.2.1
v9.2.0
v9.1.0
v9.0.4
v9.0.3
v9.0.2
v9.0.1
v9.0.0
v8.3.0
v8.2.0
v8.1.0
v8.0.3
v8.0.2
v8.0.1
v8.0.0
v7.0.4
v7.0.3
v7.0.2
v7.0.1
v7.0.0
v6.0.5
v6.0.4
v6.0.3
v6.0.2
v6.0.1
v6.0.0
v5.0.9
v5.0.8
v5.0.7
v5.0.6
v5.0.5
v5.0.4
v5.0.3
v5.0.2
v5.0.1
v5.0.0
v4.1.1
v4.1.0
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.1.4
v3.1.3
v3.1.2
v3.1.1
v3.1.0
v3.0.0
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.11
v2.1.10
v2.1.9
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.9
v1.4.8
v1.4.7
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
Labels
Clear labels   
has
backport

  
in progress

   
invalid
  
kind
breaking

  
kind
bug

  
kind
build

  
kind
dependency

  
kind
deployment

  
kind
docs

  
kind
enhancement

  
kind
feature

  
kind
lint

  
kind
proposal

  
kind
question

  
kind
refactor

  
kind
security

  
kind
testing

  
kind
translation

  
kind
ui

  
need
backport

  
priority
critical

  
priority
low

  
priority
maybe

  
priority
medium

  
reviewed
duplicate

  
reviewed
invalid

  
reviewed
wontfix

  
skip-changelog
  
status
blocked

  
status
needs-feedback

  
status
needs-reviews

  
status
wip

  
upstream
gitea

  
upstream
other

No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
Milestone
Clear milestone
No items
No Milestone
Release 4.0.0
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: gitea/helm-chart#161
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?