[Ansible-service-broker] bind APB, review requested
Jason Montleon
jmontleo at redhat.com
Thu Dec 14 21:26:07 UTC 2017
On 12/14/2017 04:05 PM, Michael Hrivnak wrote:
> Thanks!
>
> For the scc issue, based on "This can cause problems for applications
> that expect to be able to look up their user ID.", I made an assumption
> that since named seemed to run happily as-is, perhaps it does not need
> to look up its own user ID.
>
That's possible.
> How common is that? Should we assume that all apps might want to look up
> their user in /etc/passwd, unless proven otherwise? Is it a good idea to
> add the entrypoint logic in all cases?
>
If it doesn't need it it's probably fine.
Looking at some db pods I have running it seems they also doesn't have
an issue with this, so I guess there are more than a couple services
where it isn't an issue.
bash-4.2$ whoami
whoami: cannot find name for user ID 1000550000
bash-4.2$ grep mysql /etc/passwd
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
bash-4.2$ whoami
whoami: cannot find name for user ID 1000400000
bash-4.2$ grep postgres /etc/passwd
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
> On Thu, Dec 14, 2017 at 10:04 AM, Jason Montleon <jmontleo at redhat.com
> <mailto:jmontleo at redhat.com>> wrote:
>
> I don't think your app container will run in a restricted scc unless
> you do the rest of the steps; specify the user numerically and
> create an entrypoint with the snippet of code they specified:
>
> "
> Because the user ID of the container is generated dynamically, it
> will not have an associated entry in /etc/passwd. This can cause
> problems for applications that expect to be able to look up their
> user ID. One way to address this problem is to dynamically create a
> passwd file entry with the container’s user ID as part of the
> image’s start script. This is what a Dockerfile might include:
>
> RUN chmod g=u /etc/passwd
> ENTRYPOINT [ "uid_entrypoint" ]
> USER 1001
>
> Where uid_entrypoint contains:
>
> if ! whoami &> /dev/null; then
> if [ -w /etc/passwd ]; then
> echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default}
> user:${HOME}:/sbin/nologin" >> /etc/passwd
> fi
> fi
> "
>
> I think we've used a different variant of this as well:
> USER_ID=$(id -u)
> if [ ${USER_UID} != ${USER_ID} ]; then
> sed "s@${USER_NAME}:x:\${USER_ID}:@${USER_NAME}:x:${USER_ID}:@g"
> ${BASE_DIR}/etc/passwd.template > /etc/passwd
> fi
>
> With additional ENV stuff set in the Dockerfile:
> ENV USER_NAME=www-data \
> USER_UID=1001 \
> BASE_DIR=/home/www-data
> ENV HOME=${BASE_DIR}
>
>
> apb base and mediawiki are two app containers maintained by us where
> we deal with this. It looks like apb-base entrypoint is using
> similar to the example in the docs you mentioned in the Dockerfile.
>
> https://github.com/fusor/dockerfiles/blob/master/mediawiki123:latest
> <https://github.com/fusor/dockerfiles/blob/master/mediawiki123:latest>
> https://github.com/ansibleplaybookbundle/apb-base
> <https://github.com/ansibleplaybookbundle/apb-base>
>
> Bind could be a nice neat example of multiple plans. One for caching
> only, another that sets up persistent storage and creates a ddns
> zone or zones, rndc key for managing it, etc.
>
>
> On 12/13/2017 03:28 PM, Michael Hrivnak wrote:
>
> Because we don't have enough overloaded terminology, I decided
> to make my first APB install "bind", the DNS service. I would
> appreciate your review, and please don't hold back! I'm
> relatively new to openshift and ansible, so you can help me out
> by pointing out anything you would have done differently and why.
>
> https://github.com/mhrivnak/bind-apb
> <https://github.com/mhrivnak/bind-apb>
> https://hub.docker.com/r/mhrivnak/bind-apb/
> <https://hub.docker.com/r/mhrivnak/bind-apb/>
>
> One specific question came up. DNS traffic defaults to UDP,
> which limits my options for exposing the service externally. I
> went with the LoadBalancer approach, which assigns a dedicated
> IP from a pool of external addresses. Is that reasonable? Is
> there another option you would have used?
>
> I also hit some funny errors trying to expose both TCP and UDP
> on the loadbalancer service. I didn't try many iterations of it,
> but if you have a suggestion or idea, I'm all ears.
>
> Going through the exercise of making this has been very helpful
> for getting familiar with much of the stack. I appreciate
> everyone's help pointing me in the right direction.
>
> Thanks!
>
> --
>
> Michael Hrivnak
>
> Principal Software Engineer, RHCE
>
> Red Hat
>
>
>
> _______________________________________________
> Ansible-service-broker mailing list
> Ansible-service-broker at redhat.com
> <mailto:Ansible-service-broker at redhat.com>
> https://www.redhat.com/mailman/listinfo/ansible-service-broker
> <https://www.redhat.com/mailman/listinfo/ansible-service-broker>
>
>
> --
> Jason Montleon | email: jmontleo at redhat.com
> <mailto:jmontleo at redhat.com>
> Software Engineer | gpg key: 0x069E3022
> Red Hat, Inc. | irc: jmontleo
> desk: 978-392-3930 <tel:978-392-3930> | cell: 508-496-0663
> <tel:508-496-0663>
>
> _______________________________________________
> Ansible-service-broker mailing list
> Ansible-service-broker at redhat.com
> <mailto:Ansible-service-broker at redhat.com>
> https://www.redhat.com/mailman/listinfo/ansible-service-broker
> <https://www.redhat.com/mailman/listinfo/ansible-service-broker>
>
>
>
>
> --
>
> Michael Hrivnak
>
> Principal Software Engineer, RHCE
>
> Red Hat
>
--
Jason Montleon | email: jmontleo at redhat.com
Software Engineer | gpg key: 0x069E3022
Red Hat, Inc. | irc: jmontleo
desk: 978-392-3930 | cell: 508-496-0663
More information about the Ansible-service-broker
mailing list