Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-432

Dev Preview - User Namespace Builds

    XMLWordPrintable

Details

    • Dev Preview - User Namespace Builds
    • False
    • None
    • False
    • To Do
    • OCPPLAN-4518 - Builds with reduced privileges
    • 10
    • 10% 10%
    • Hide
      * With this update, you can run builds within a user-namespaced container by default, as a Developer Preview feature. That is, in terms of the host, you can run a build as a non-root user. For instructions, see link:https://access.redhat.com/articles/6878201[Unprivileged OpenShift Builds (Developer Preview)] (link:https://issues.redhat.com/browse/BUILD-432[BUILD-432])
      Show
      * With this update, you can run builds within a user-namespaced container by default, as a Developer Preview feature. That is, in terms of the host, you can run a build as a non-root user. For instructions, see link: https://access.redhat.com/articles/6878201 [Unprivileged OpenShift Builds (Developer Preview)] (link: https://issues.redhat.com/browse/BUILD-432 [ BUILD-432 ])

    Description

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.

      <--- Cut-n-Paste the entire contents of this description into your new Epic --->

      Epic Goal

      • Run OpenShift builds that do not execute as the "root" user on the host node.

      Why is this important?

      • OpenShift builds require an elevated set of capabilities to build a container image
      • Builds currently run as root to maintain adequate performance
      • Container workloads should run as non-root from the host's perspective. Containers running as root are a known security risk.
      • Builds currently run as root and require a privileged container. See BUILD-225 for removing the privileged container requirement.

      Scenarios

      1. Run BuildConfigs in a multi-tenant environment
      2. Run BuildConfigs in a heightened security environment/deployment

      Acceptance Criteria

      • Developers can opt into running builds in a cri-o user namespace by providing an environment variable with a specific value.
      • When the correct environment variable is provided, builds run in a cri-o user namespace, and the build pod does not require the "privileged: true" security context.
      • User namespace builds can pass basic test scenarios for the Docker and Source strategy build.
      • Steps to run unprivileged builds are documented.

      Dependencies (internal and external)

      1. Buildah supports running inside a non-privileged container
      2. CRI-O allows workloads to opt into running containers in user namespaces.

      Previous Work (Optional):

      1. BUILD-225 - remove privileged requirement for builds.

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      Attachments

        Issue Links

          blocks

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. BUILD-141 Tech Preview - User Namespace Builds

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Task - A task that needs to be done. RHDEVDOCS-4783 Publish "Unprivileged OpenShift Builds (Developer Preview)" article

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is depended on by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. BUILD-141 Tech Preview - User Namespace Builds

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is documented by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. RHDEVDOCS-3923 Dev Preview - Unprivileged OCP Builds

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Reopened
          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. BUILD-216 Rootless Buildah Strategy Builds

          • Undefined - Priority not specified.
          • To Do
          links to

          GitHub openshift/builder#349: BUILD-432: mount secrets as "overlay" mounts

          Activity

            People

              rhn-engineering-nalin Nalin Dahyabhai
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated: