Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2955

Linux Packer Images: Execute Docker Engine in rootless

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Following INFRA-2954, the default "jenkins" user should not be able to get administraton's right through sudo.

      As we are using these images for Docker, it means that the Docker Engine should be executed in rootless mode (https://docs.docker.com/engine/security/rootless/) to mitigate the risks when a container breakout happen, even if the ephemeral nature of these machines already helps in this area.

      Switching to rootless (e.g. using namespace) is:

      • Only available on Linux container
      • Might break some edge case builds, because it disable a few features as `--network=host`. If it is the case, a discussion will have to be triggered because "smelly security smell".

      [EDIT]
      We have to be careful

      • INFRA-3006 => consequence of changing the default UID of the user "jenkins" from 1000 to 1001 broke some usages in the ATH
      • INFRA-3016 => test harness of the Jenkins Docker image (or any usage of this image assuming the default UID of 1000) might also break with rootless (as Docker will namespace users)

        Attachments

          Issue Links

            Activity

            Hide
            dduportal Damien Duportal added a comment -

            Removing from the "spring 2021" EPIC as this topic will break a lot of usages so it should be treated as a separate task

            Show
            dduportal Damien Duportal added a comment - Removing from the "spring 2021" EPIC as this topic will break a lot of usages so it should be treated as a separate task

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              dduportal Damien Duportal
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: