Tuesday, January 28, 2020

Dockerfile Example of Linux NonRoot User for Apache Httpd

Requirement:

      In the enterprise world, there is a concern that we should not run docker images via root user unless there is an exception.
      When we install apache2 via yum, by default, it runs via root. The root user binds the privileged port like 80. We need to find a way to start httpd via nonroot to address concerns of security

Solution:

FROM oraclelinux:7-slim
RUN   yum -y --setopt=tsflags=nodocs update && \
           yum -y --setopt=tsflags=nodocs install httpd && \
          yum -y --setopt=tsflags=nodocs install mod_ssl && \
          yum clean all
EXPOSE 80
RUN ln -sf   /proc/self/fd/1 /var/log/httpd/error_log && \
         ln -sf   /proc/self/fd/1 /var/log/httpd/access_log
RUN groupadd www-data && useradd -g www-data www-data
RUN chmod 755 -R /etc/pki && chown -hR www-data:www-data /etc/httpd/ &&  chown -hR www-data:www-data /run/httpd/ && chown -hR www-data:www-data /var/www/ && chown -hR www-data:www-data /var/log/httpd/
#setcap to bind to privileged ports as non-root
RUN setcap 'cap_net_bind_service=+ep' /usr/sbin/httpd &&  getcap /usr/sbin/httpd
ADD run-httpd.sh /run-httpd.sh
RUN chown www-data:www-data /run-httpd.sh
USER 1000
CMD ["/run-httpd.sh"]

run-httpd.sh :
#!/bin/bash
exec /usr/sbin/apachectl -DFOREGROUND
tail -f  /var/log/httpd/access_log

Thursday, January 16, 2020

Bpf related Kernel Devel Error

Symptom:

 When we run bpf program, we get below error
chdir(/lib/modules/4.14.35-1844.5.3.el7uek.x86_64/build): No such file or directory
panic: runtime error: invalid memory address or nil pointer dereference
panic: runtime error: invalid memory address or nil pointer dereference

Solution:

We need to install bcc tools via yum install bcc-tools
We need to install kernel devel
Redhat:               yum install kernel-devel-`uname -r`
Oracle Linux:     yum install kernel-uek-devel-`uname -r`

Error: undefined symbol: bcc_prog_load on BPF program

Symptom:

  When we run a bpf program, we get error as below:
undefined symbol: bcc_prog_load

Reason:

  We installed bcc via yum install bcc
  It is very likely we need linux to be at least 4.18 to support  bpf program

Tip: Download Kubebuilder and Kustomize Behind Proxy

Kustomize:

curl -x http://<proxy host>:80/ -s https://api.github.com/repos/kubernetes-sigs/kustomize/releases/latest |  grep browser_download |  grep linux |  cut -d '"' -f 4 |  xargs curl -O -L -x http://<proxy host>:80/

Kubebuilder:

os=$(go env GOOS)
arch=$(go env GOARCH)
curl -x http://<proxy host>:80/ -sL https://go.kubebuilder.io/dl/2.0.0-beta.0/${os}/${arch} | tar -xz -C /tmp/

Error: error: unexpected EOF in kubectl cp

Symptom:

   When we run kubectl cp  <container>:/filename  /tmp/filename  . It error out
 error: unexpected EOF

Solution:

    The most possible reason is kubectl cp need tar in the container to work.
see details via kubectl cp --help  
Copy files and directories to and from containers.
Examples:
  # !!!Important Note!!!
  # Requires that the 'tar' binary is present in your container
  # image.  If 'tar' is not present, 'kubectl cp' will fail.

  # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace
  kubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir

  # Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container
  kubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>

  # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace>
  kubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar

  # Copy /tmp/foo from a remote pod to /tmp/bar locally
  kubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar
Options:
  -c, --container='': Container name. If omitted, the first container in the pod will be chosen
      --no-preserve=false: The copied file/directory's ownership and permissions will not be preserved in the container
Usage:
  kubectl cp <file-spec-src> <file-spec-dest> [options]