Bug 1464356 - Failed to prevent s2i builder images from running as root
Failed to prevent s2i builder images from running as root
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build (Show other bugs)
3.6.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Ben Parees
Dongbo Yan
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-23 04:30 EDT by Dongbo Yan
Modified: 2017-08-16 15 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 11:23:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dongbo Yan 2017-06-23 04:30:11 EDT
Description of problem:
Failed to prevent s2i builder images from running as root

Version-Release number of selected component (if applicable):
openshift v3.6.122
kubernetes v1.6.1+5115d708d7

How reproducible:
Always

Steps to Reproduce:
1.Build image with Dockerfile set instruction "USER 0" in it
2.Use above built image to do s2i build
 $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/build/tc499515/test-buildconfig-user0.json
3.Check build status

Actual results:
Build is completed

Expected results:
Build is failed with error in log:
"must specify a user that is numeric and within the range of allowed users"

Additional info:
Comment 1 Ben Parees 2017-06-23 11:27:15 EDT
David, any chance this is related to the scc/admission work you've been doing?  I know you mentioned we're doing this in a weird way.
Comment 2 David Eads 2017-06-26 09:43:51 EDT
@bparees  I don't think so.  My work still hasn't merged: https://github.com/openshift/origin/pull/14775
Comment 3 Ben Parees 2017-06-26 18:52:21 EDT
PR: https://github.com/openshift/origin/pull/14891
Comment 4 openshift-github-bot 2017-06-27 10:50:45 EDT
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/d186041d1a4a94b391c6783458e206b6d12f0557
pass an internal pod object to SCC admission control so it works

https://bugzilla.redhat.com/show_bug.cgi?id=1464356

bug 1464356
Comment 6 Dongbo Yan 2017-07-02 22:49:08 EDT
Test with
openshift v3.6.131
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

build is failed, and show "must specify a user that is numeric and within the range of allowed users" in build log

could move to verified

Note You need to log in before you can comment on or make changes to this bug.