Add support to run gitea with an optional securityContext #115

martencassel · 2021-02-19T14:48:21Z

martencassel commented

2021-02-19 14:48:21 +00:00

Add the option to initialize and run gitea with a securityContext.

👍 2

martencassel added 1 commit 2021-02-19 14:48:21 +00:00

Add support to run gitea with an optional securityContext

continuous-integration/drone/pr Build is passing

Details

32b7a0a58d

Dunky13 commented

2021-02-22 15:15:21 +00:00

Yes, but I find that when running with the following context:

securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000

The init container fails with the following error: init su: must be suid to work properly

Yes, but I find that when running with the following context: ``` securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 ``` The init container fails with the following error: `init su: must be suid to work properly`

martencassel added 1 commit 2021-02-23 13:56:35 +00:00

Don't set securityContext in initContainer.

continuous-integration/drone/pr Build is passing

Details

6a75a4217a

Dunky13 commented

2021-02-23 14:30:00 +00:00

What I found when trying this PR, is that Gitea required to run root (#120) on only from 1.14 rootless will be available, and only then this will work, as the current image requires root access

luhahn commented

2021-02-23 15:55:22 +00:00

Thanks for your PR i will check on this once 1.14 is the default image :)

martencassel commented

2021-02-23 16:26:53 +00:00

We would like to run gitea as a specific uid in order to access NFS data via kerberos. I don't know if setting the uid is possible in the rootless work that is coming up.

https://github.com/go-gitea/gitea/issues/14780

We would like to run gitea as a specific uid in order to access NFS data via kerberos. I don't know if setting the uid is possible in the rootless work that is coming up. https://github.com/go-gitea/gitea/issues/14780

luhahn approved these changes 2021-02-24 08:43:04 +00:00

Dismissed

luhahn left a comment

Did not have a closer look into this issue yesterday sorry.

Of course we can merge this PR prior to 1.14 since it only adds the possibility to set a security context.

Did not have a closer look into this issue yesterday sorry. Of course we can merge this PR prior to 1.14 since it only adds the possibility to set a security context.

lafriks approved these changes 2021-03-01 12:16:14 +00:00

Dismissed

lafriks added the

kind

enhancement

label 2021-03-01 12:16:31 +00:00

lafriks merged commit 33903d8f6c into master

2021-03-01 12:16:49 +00:00

lafriks referenced this issue from a commit

2021-03-01 12:16:49 +00:00

Add support to run gitea with an optional securityContext (#115)

viceice referenced this issue from a commit

2021-03-01 12:31:50 +00:00

Add support to run gitea with an optional securityContext (#115)

Starefossen commented

2021-03-03 08:45:42 +00:00

I was hoping to improve the security for my Gitea installation with this. Unfortunately when setting the example as @Dunky13 posted I get the following error from the gitea container iteself (init is fine):

s6-svscan: fatal: unable to mkfifo .s6-svscan/control: Permission denied

I was hoping to improve the security for my Gitea installation with this. Unfortunately when setting the example as @Dunky13 posted I get the following error from the gitea container iteself (init is fine): ``` s6-svscan: fatal: unable to mkfifo .s6-svscan/control: Permission denied ```

Dunky13 commented

2021-03-03 08:52:18 +00:00

I was hoping to improve the security for my Gitea installation with this. Unfortunately when setting the example as @Dunky13 posted I get the following error from the gitea container iteself (init is fine):
s6-svscan: fatal: unable to mkfifo .s6-svscan/control: Permission denied 

gitea/helm-chart#115 (comment)
The security context doesn't work (yet), since it will be released in Gitea 1.14 - we are currently in 1.13. So waiting for the "rootless" release. The security context can only work when gitea doesn't require root access, as it does now

> I was hoping to improve the security for my Gitea installation with this. Unfortunately when setting the example as @Dunky13 posted I get the following error from the gitea container iteself (init is fine): > > ``` > s6-svscan: fatal: unable to mkfifo .s6-svscan/control: Permission denied > ``` > https://gitea.com/gitea/helm-chart/pulls/115#issuecomment-313716 The security context doesn't work (yet), since it will be released in Gitea 1.14 - we are currently in 1.13. So waiting for the "rootless" release. The security context can only work when gitea doesn't require root access, as it does now

Starefossen commented

2021-03-03 10:17:58 +00:00

Yeah, realised it after I posted. A few things have changed with 1.14 so this might be a challenge for those who are using the Helm Chart I guess. Seams to have latest mostly working now on my setup.

Yeah, realised it after I posted. A few things have changed with 1.14 so this might be a challenge for those who are using the Helm Chart I guess. Seams to have `latest` mostly working now on my setup.

Starefossen commented

2021-03-03 10:25:06 +00:00

@Dunky13 just tested with latest-rootless which is v1.14-dev, it failed with the error you posted. Wondering if securityContext should also be applied to the init container as well?

@Dunky13 just tested with `latest-rootless` which is v1.14-dev, it failed with the error you posted. Wondering if `securityContext` should also be applied to the init container as well?

Dunky13 commented

2021-03-03 11:51:50 +00:00

@Starefossen I am not sure, haven't tested with rootless, as in the context I'm working in, I need a steady version number. Could possibly be the case. But would require some testing on a cluster either you, or if @luhahn has time & energy to put in that effort?