Bug 1464356 - Failed to prevent s2i builder images from running as root
Summary: Failed to prevent s2i builder images from running as root
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.6.z
Assignee: Ben Parees
QA Contact: Dongbo Yan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-23 08:30 UTC by Dongbo Yan
Modified: 2018-05-21 13:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 15:23:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:1716 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.6 RPM Release Advisory 2017-08-10 09:02:50 UTC

Description Dongbo Yan 2017-06-23 08:30:11 UTC
Description of problem:
Failed to prevent s2i builder images from running as root

Version-Release number of selected component (if applicable):
openshift v3.6.122
kubernetes v1.6.1+5115d708d7

How reproducible:
Always

Steps to Reproduce:
1.Build image with Dockerfile set instruction "USER 0" in it
2.Use above built image to do s2i build
 $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/build/tc499515/test-buildconfig-user0.json
3.Check build status

Actual results:
Build is completed

Expected results:
Build is failed with error in log:
"must specify a user that is numeric and within the range of allowed users"

Additional info:

Comment 1 Ben Parees 2017-06-23 15:27:15 UTC
David, any chance this is related to the scc/admission work you've been doing?  I know you mentioned we're doing this in a weird way.

Comment 2 David Eads 2017-06-26 13:43:51 UTC
@bparees  I don't think so.  My work still hasn't merged: https://github.com/openshift/origin/pull/14775

Comment 3 Ben Parees 2017-06-26 22:52:21 UTC
PR: https://github.com/openshift/origin/pull/14891

Comment 4 openshift-github-bot 2017-06-27 14:50:45 UTC
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/d186041d1a4a94b391c6783458e206b6d12f0557
pass an internal pod object to SCC admission control so it works

https://bugzilla.redhat.com/show_bug.cgi?id=1464356

bug 1464356

Comment 6 Dongbo Yan 2017-07-03 02:49:08 UTC
Test with
openshift v3.6.131
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

build is failed, and show "must specify a user that is numeric and within the range of allowed users" in build log

could move to verified


Note You need to log in before you can comment on or make changes to this bug.