[Ansible-service-broker] bind APB, review requested
Michael Hrivnak
mhrivnak at redhat.com
Thu Dec 14 21:05:17 UTC 2017
Thanks!
For the scc issue, based on "This can cause problems for applications that
expect to be able to look up their user ID.", I made an assumption that
since named seemed to run happily as-is, perhaps it does not need to look
up its own user ID.
How common is that? Should we assume that all apps might want to look up
their user in /etc/passwd, unless proven otherwise? Is it a good idea to
add the entrypoint logic in all cases?
On Thu, Dec 14, 2017 at 10:04 AM, Jason Montleon <jmontleo at redhat.com>
wrote:
> I don't think your app container will run in a restricted scc unless you
> do the rest of the steps; specify the user numerically and create an
> entrypoint with the snippet of code they specified:
>
> "
> Because the user ID of the container is generated dynamically, it will not
> have an associated entry in /etc/passwd. This can cause problems for
> applications that expect to be able to look up their user ID. One way to
> address this problem is to dynamically create a passwd file entry with the
> container’s user ID as part of the image’s start script. This is what a
> Dockerfile might include:
>
> RUN chmod g=u /etc/passwd
> ENTRYPOINT [ "uid_entrypoint" ]
> USER 1001
>
> Where uid_entrypoint contains:
>
> if ! whoami &> /dev/null; then
> if [ -w /etc/passwd ]; then
> echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default}
> user:${HOME}:/sbin/nologin" >> /etc/passwd
> fi
> fi
> "
>
> I think we've used a different variant of this as well:
> USER_ID=$(id -u)
> if [ ${USER_UID} != ${USER_ID} ]; then
> sed "s@${USER_NAME}:x:\${USER_ID}:@${USER_NAME}:x:${USER_ID}:@g"
> ${BASE_DIR}/etc/passwd.template > /etc/passwd
> fi
>
> With additional ENV stuff set in the Dockerfile:
> ENV USER_NAME=www-data \
> USER_UID=1001 \
> BASE_DIR=/home/www-data
> ENV HOME=${BASE_DIR}
>
>
> apb base and mediawiki are two app containers maintained by us where we
> deal with this. It looks like apb-base entrypoint is using similar to the
> example in the docs you mentioned in the Dockerfile.
>
> https://github.com/fusor/dockerfiles/blob/master/mediawiki123:latest
> https://github.com/ansibleplaybookbundle/apb-base
>
> Bind could be a nice neat example of multiple plans. One for caching only,
> another that sets up persistent storage and creates a ddns zone or zones,
> rndc key for managing it, etc.
>
>
> On 12/13/2017 03:28 PM, Michael Hrivnak wrote:
>
>> Because we don't have enough overloaded terminology, I decided to make my
>> first APB install "bind", the DNS service. I would appreciate your review,
>> and please don't hold back! I'm relatively new to openshift and ansible, so
>> you can help me out by pointing out anything you would have done
>> differently and why.
>>
>> https://github.com/mhrivnak/bind-apb
>> https://hub.docker.com/r/mhrivnak/bind-apb/
>>
>> One specific question came up. DNS traffic defaults to UDP, which limits
>> my options for exposing the service externally. I went with the
>> LoadBalancer approach, which assigns a dedicated IP from a pool of external
>> addresses. Is that reasonable? Is there another option you would have used?
>>
>> I also hit some funny errors trying to expose both TCP and UDP on the
>> loadbalancer service. I didn't try many iterations of it, but if you have a
>> suggestion or idea, I'm all ears.
>>
>> Going through the exercise of making this has been very helpful for
>> getting familiar with much of the stack. I appreciate everyone's help
>> pointing me in the right direction.
>>
>> Thanks!
>>
>> --
>>
>> Michael Hrivnak
>>
>> Principal Software Engineer, RHCE
>>
>> Red Hat
>>
>>
>>
>> _______________________________________________
>> Ansible-service-broker mailing list
>> Ansible-service-broker at redhat.com
>> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>
>>
> --
> Jason Montleon | email: jmontleo at redhat.com
> Software Engineer | gpg key: 0x069E3022
> Red Hat, Inc. | irc: jmontleo
> desk: 978-392-3930 | cell: 508-496-0663
>
> _______________________________________________
> Ansible-service-broker mailing list
> Ansible-service-broker at redhat.com
> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>
--
Michael Hrivnak
Principal Software Engineer, RHCE
Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ansible-service-broker/attachments/20171214/c5a8fdcf/attachment.htm>
More information about the Ansible-service-broker
mailing list