gitea/helm-chart
49
58
Fork 132
Code Issues 34 Pull Requests 8 Actions Releases 90 Activity

Issues with ssh chroot not working #8

New Issue
Closed
opened 2020-08-09 02:58:56 +00:00 by nat321 · 2 comments
nat321 commented 2020-08-09 02:58:56 +00:00
Copy Link

I am using gitea helm with a kubeadm deployed kubernetes cluster. Version 1.18.6

Had a issue with the SSH server. The issue was that I would attempt to ssh to the gitea service and then immediately get messages like this from the ssh client:

Connection reset by 10.0.0.14 port 22

Was getting this message in gitea container logs when trying to access my repos over SSH:

chroot("/var/empty"): Operation not permitted [preauth]
chroot("/var/empty"): Operation not permitted [preauth]
chroot("/var/empty"): Operation not permitted [preauth]

I was able to get it to work by patching the deployment and adding this to gitea container definition in the gitea deployment:

    securityContext:
      capabilities:
        add:
        - SYS_CHROOT

as per:

https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/

This got it to work. Now SSH access is perfectly fine.

I suspect that this isn't the best fix, however. I am not sure of the security implementations of allowing SYS_CHROOT inside a container. Probably a good reason why it's disabled by default.

Probably a better approach would be to add a option to disable the chroot for sshd. Or run sshd in it's own container in the pod so it's isolated without having to do the chroot thing.

Maybe not. I know sshd can be a bear to deal with as far as containers go.

Besides this one issue the helm chart is working great for me. So thanks!

I am using gitea helm with a kubeadm deployed kubernetes cluster. Version 1.18.6 Had a issue with the SSH server. The issue was that I would attempt to ssh to the gitea service and then immediately get messages like this from the ssh client: Connection reset by 10.0.0.14 port 22 Was getting this message in gitea container logs when trying to access my repos over SSH: chroot("/var/empty"): Operation not permitted [preauth] chroot("/var/empty"): Operation not permitted [preauth] chroot("/var/empty"): Operation not permitted [preauth] I was able to get it to work by patching the deployment and adding this to gitea container definition in the gitea deployment: securityContext: capabilities: add: - SYS_CHROOT as per: https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/ This got it to work. Now SSH access is perfectly fine. I suspect that this isn't the best fix, however. I am not sure of the security implementations of allowing SYS_CHROOT inside a container. Probably a good reason why it's disabled by default. Probably a better approach would be to add a option to disable the chroot for sshd. Or run sshd in it's own container in the pod so it's isolated without having to do the chroot thing. Maybe not. I know sshd can be a bear to deal with as far as containers go. Besides this one issue the helm chart is working great for me. So thanks!
lunny commented 2020-08-09 07:18:02 +00:00
Owner
Copy Link

Have you tried #7?

Have you tried #7?
luhahn commented 2020-09-21 15:37:58 +00:00
Member
Copy Link

Since there has been no response and this has not shown up in any of the tests i think we can close this?

Since there has been no response and this has not shown up in any of the tests i think we can close this?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
has
backport

  
in progress

   
invalid
  
kind
breaking

  
kind
bug

  
kind
build

  
kind
dependency

  
kind
deployment

  
kind
docs

  
kind
enhancement

  
kind
feature

  
kind
lint

  
kind
proposal

  
kind
question

  
kind
refactor

  
kind
security

  
kind
testing

  
kind
translation

  
kind
ui

  
need
backport

  
priority
critical

  
priority
low

  
priority
maybe

  
priority
medium

  
reviewed
duplicate

  
reviewed
invalid

  
reviewed
wontfix

  
skip-changelog
  
status
blocked

  
status
needs-feedback

  
status
needs-reviews

  
status
wip

  
upstream
gitea

  
upstream
other

No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: gitea/helm-chart#8
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?