Issues with ssh chroot not working #8
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/helm-chart#8
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I am using gitea helm with a kubeadm deployed kubernetes cluster. Version 1.18.6
Had a issue with the SSH server. The issue was that I would attempt to ssh to the gitea service and then immediately get messages like this from the ssh client:
Connection reset by 10.0.0.14 port 22
Was getting this message in gitea container logs when trying to access my repos over SSH:
chroot("/var/empty"): Operation not permitted [preauth]
chroot("/var/empty"): Operation not permitted [preauth]
chroot("/var/empty"): Operation not permitted [preauth]
I was able to get it to work by patching the deployment and adding this to gitea container definition in the gitea deployment:
as per:
https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/
This got it to work. Now SSH access is perfectly fine.
I suspect that this isn't the best fix, however. I am not sure of the security implementations of allowing SYS_CHROOT inside a container. Probably a good reason why it's disabled by default.
Probably a better approach would be to add a option to disable the chroot for sshd. Or run sshd in it's own container in the pod so it's isolated without having to do the chroot thing.
Maybe not. I know sshd can be a bear to deal with as far as containers go.
Besides this one issue the helm chart is working great for me. So thanks!
Have you tried #7?
Since there has been no response and this has not shown up in any of the tests i think we can close this?