-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revisit root permissions and entrypoint for user management #560
Comments
I've stalled on creating the ReadTheDocs site, partially because I'm at the section of the doc where I have to document all the various options the images support. It's daunting. So I was planning to open an issue this morning to discuss what options we currently support (e.g., Then I saw this new ticket about root permissions (thanks @minrk !) and wonder if we should tackle the two topics together:
|
I'm currently using https://github.com/GrahamDumpleton/openshift3-jupyter-stacks to be able to deploy on OpenShift. However, since the dockerfile there specifies changes to /home/$NB_USER, it results in an additional ~3GB layer to the base image, just because it's changing permissions. I can imagine if this enhancement is resolved, then these images would run natively on OpenShift. Can someone shed some light into why it's required to be able to run as a different user? |
@GrahamDumpleton made quite a few contributions to this repository lately, including documentation about using these images on OpenShift 3 (https://github.com/jupyter/docker-stacks/tree/master/examples/openshift). Perhaps the problem has been mitigated already? |
The So have done as much as I can. They will run, but you need to configure OpenShift, the Kubernetes environment with multi user RBAC setup, or any other more secure Docker environment, to run the containers with supplemental group of As pointed out, see the examples directory. For Source-to-Image builds there is also: I am gradually pulling all information together about running Jupyter on OpenShift at: It is a self signed certificate on the site for now, but that will be fixed. There is also lots of other repos and examples related to running JupyterHub, kernel gateways, nbviewer, native OpenShift S2I based notebooks etc., at: |
Maybe my memory is faulty, but I remember some questions about whether using the root group could lead to security issues and some answers back that it looked OK to OpenShift folks. After that, I think the conversation trailed off and was lost when folks, myself included, suggested that changes be made one PR at a time. I'm open to switching the default user |
If these images were only ever used as is there would be no issue changing. The problem is the effect on people who are creating derived images. You can’t assume that people when adding stuff in derived images are setting user/group based on NB_UID/NB_GID environment variables, if they are at least trying to match permissions. So it isn’t a security issue, just that derived images people are creating could be broken by changing the group to GID of 0. |
Sorry, I should have been clearer. By "regress other features" I meant "break without the ability to fix". Documenting best practices for deriving images from the core definitions here, especially the base and minimal images, is fodder for the ReadTheDocs site slowly being worked in #517 and associated PRs. If we document examples of how to properly set permissions in derived images (e.g., |
@GrahamDumpleton thanks a lot for all your efforts with regards to getting jupyter on OpenShift, it was a huge help. |
My main concern about defaulting to GID=0 is that it seems to be the wrong thing to do for the much more common case of people running these docker images outside of kubernetes/openshift-style locked-down environments. See this thread where running users as gid=0 with the current state of things makes it trivial to become the root user. Only in extra-secure contexts like openshift does it seem to be a safe and correct choice use run with gid=0. Since that's not the primary target case for these docker stacks, I'm not sure there's a good way to serve both. I also want it to be clear that these stacks are far from the only way to install Jupyter, and we shouldn't be trying to make these stacks serve all use cases. I think the current level of configurability is a source of significant complications. I suspect for cases like openshift with specific demands, using something like s2i to build images with Jupyter installed via conda and/or pip with specific choices for user/group permissions may well be the preferable, simpler solution to trying to make these stacks work optimally in all possible environments. |
Arrgggh. Totally forgot that issue was raised around use of |
Not sure yet what issues this may cause with existing functionality in the image which uses
Result then is:
|
You would though have to also rollback the change made to make The addition of a corresponding entry to |
As per comments on #653 it seems that what can do to lock down ability to run
End result is that when running as random user ID not in Relevant docs from
Even with this, still would be a good idea to document that if running with random UID not in These changes do not appear to affect ability to |
I have reworked my withdrawn PR and create a new one at #654 to lock down in what circumstances |
Despite #653, it still seems like it would be trivial to gain root access if the container is run with group |
Is there a reason we can't just grant Feels like that would allow the container to always launch as non-root (user or group) but retain all the user-remapping, home-dir and |
If someone already has the ability to override the startup command and supply As you say it is 'trivial to gain root access', can you explain by what mechanism having group Running as group The running as group So the group So can you explain what you believe makes it trivial to become the In the mean time, it could be worthwhile to document as general precaution, that in all cases where not relying on |
@GrahamDumpleton let's discuss via email or Gitter if you like (or something else, you choose), since it is a security question. |
Or BlueJeans or phone since you appear to live in the same city. :-) For email you can get me at: [email protected] |
Re: reporting vulnerabilities, I've started a thread on Discourse about how we might better indicate the preferred procedure https://discourse.jupyter.org/t/responsible-vulnerability-reporting/655. |
it requires password when i try to use sudo,may i have password? |
Please, search the docs and github before asking a question. |
In start.sh, we support setting up the user in a variety of ways that currently require the container to be started as root. #552, #553, #559 introduce a mechanism to handle a subset of those cases when the user is in the root group, as is typical with openshift. #553 initially did so in an ENTRYPOINT instead of CMD in order to benefit even when CMD is overridden, e.g. directly to
jupyterhub-singleuser
in kubespawner. That logic now resides in start.sh with everything else (#559), but perhaps much of start.sh ought to move to an ENTRYPOINT instead of the CMD.Things to consider:
Current capabilities in start.sh that require root permissions:
jovyan
user to$NB_USER
if setThe text was updated successfully, but these errors were encountered: