Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: fix security context for Vector #26

Merged
merged 2 commits into from
Feb 9, 2024
Merged

Fix: fix security context for Vector #26

merged 2 commits into from
Feb 9, 2024

Conversation

FahadKhalid210
Copy link
Contributor

Issue: #6

@regisb
Copy link
Collaborator

regisb commented Jan 12, 2024

This will cause the vector containers to run as root, right? I'd rather avoid this if we can. All containers should run in unprivileged mode. Is there any way to grant access to the container logs without promoting Vector to root?

@FahadKhalid210
Copy link
Contributor Author

@regisb yes, currently it runs as root user. There is no user(id: 1000) in vector image that's why it missing the tracking logs data. I've checked in tutor-aspects like how they manage it but they also remove that part.
Ref: https://github.com/openedx/tutor-contrib-aspects/pull/209/files

@regisb
Copy link
Collaborator

regisb commented Jan 22, 2024

There is no user(id: 1000) in vector image that's why it missing the tracking logs data.

Indeed, in dev/local mode vector runs as a privileged user, whereas other services run as user: "1000:1000". This explains why vector works in dev/local but not on Kubernetes. I see no other solution to resolve this issue, so we should accept that vector runs as a privileged container.

regisb
regisb requested changes Jan 22, 2024
View reviewed changes
Copy link
Collaborator

@regisb regisb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix! I agree with the approach, but we must be more explicit towards end users in the changelog.

DawoudSheraz
DawoudSheraz approved these changes Feb 6, 2024
View reviewed changes
Copy link

@DawoudSheraz DawoudSheraz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving to unblock this. But do create a followup issue to see if we can create a user during build time that can be used as value of removed settings.

@FahadKhalid210 FahadKhalid210 merged commit 00c2c60 into master Feb 9, 2024
1 check passed
@regisb regisb deleted the fahad-#6 branch February 9, 2024 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@regisb regisb regisb requested changes

@DawoudSheraz DawoudSheraz DawoudSheraz approved these changes

Assignees

@DawoudSheraz DawoudSheraz

Labels
None yet
Projects
Tutor project management
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@FahadKhalid210 @regisb @DawoudSheraz