non-ROOT containers to show OpenShift some love

At Bitnami we love containers and Kubernetes, you should know that. We routinely build lots of containers that we publish on Docker hub or Quay or GCR. We are also heavily involved in the Kubernetes community being the lead developers of Monocular, lead maintainers of Charts and developing our own tools like sealed-secrets and kubeless.

Needless to say we are busy with containers and Kubernetes.

Some time back we looked at OpenShift, originally just to learn the main difference with Kubernetes. But then we started to appreciate the security focus and felt the pain of Openshift users trying to use containers from Docker hub (most of them don’t run on openshift). We are also bummed that our charts cannot run on Openshift (OC), so we are modifying monocular to run well there.

But what we need is to routinely build our containers following a basic security best-practice which is that the process running in the container should be of least privilege. aka non-ROOT

Let’s try the official nginx image

We hop on minishift , couple commands and we see the security focus of OC, via strong RBAC.

$ minishift start --vm-driver virtualbox
$ oc get nodes
Error from server (Forbidden): User "developer" cannot list all nodes in the cluster
$ oc get pods --all-namespaces
Error from server (Forbidden): User "developer" cannot list all pods in the cluster
...

Let’s try to run nginx:

$ oc new-app --docker-image=nginx
$ oc logs nginx-1-9hclf
2017/07/27 14:01:33 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2017/07/27 14:01:33 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

Nice permission denied issues. The process did start but can’t write. I don’t even want to dive into it, it does not run out of the box.

Bitnami’s non-ROOT containers

Now, we can do the same thing but of course, with our own nginx container from https://github.com/bitnami/bitnami-docker-nginx.

$ oc new-app --name=nginx --docker-image=bitnami/nginx
$ oc logs nginx-1-bls26
Welcome to the Bitnami nginx container
Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-nginx
Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-nginx/issues
Send us your feedback at containers@bitnami.com
nami    INFO  Initializing nginx
nginx INFO ==> nginx.conf not found. Applying bitnami configuration...
nami INFO nginx successfully initialized
INFO ==> Starting nginx...

Bim bam boom…We can then expose the service, get a route and access our nginx. Tiny issue is that the new-app wrapper automatically created a service with a targetPort of 80, when our container exposes on 8080. So you have to edit the service to change that.

oc edit svc nginx
oc expose svc/nginx
oc status

Note the very neat route, automatically created with a nip.io wildcard DNS. Nice touch from OC I have to say.

And now Kafka and Zookeeper

But we did not stop with nginx, now we are putting this mindset in our internal best practices when we build containers, so that they work out of the box in openshift.

Two containers that we recently worked on are Kafka and Zookeeper and they work in Openshift as well.


$ oc new-app --name=zookeeper ALLOW_ANONYMOUS_LOGIN=yes --docker-image=bitnami/zookeeper

$ oc new-app --name=kafka ALLOW_PLAINTEXT_LISTENER=yes KAFKA_ZOOKEEPER_CONNECT=zookeeper:2181 --docker-image=bitnami/kafka

$ oc get pods
NAME READY STATUS RESTARTS AGE
kafka-1-rk59v 1/1 Running 0 22m
nginx-1-bls26 1/1 Running 0 16m
zookeeper-1-97rsg 1/1 Running 0 22m

So if you want apps that run on openshift ;) …