Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Openshift Deployment

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Openshift Deployment

Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: Darren Boss <>, Oliver Trieu <>
  • Cc: Scott Koranda <>, "" <>
  • Subject: RE: [grouper-users] Openshift Deployment
  • Date: Fri, 1 May 2020 07:42:44 +0000
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8ioS9HFLZoon0SpmxEQd02lWRSBIMEvXrWv7mz9oqAw=; b=XTHXhFZaSZb3b5Usd8iRZQI12/7ylvg7WbEbsoTII++JQVWVVtCc7KaGFpsOx+lJEniFJYytC4IhJrSnT7ersJZhpSg81CxJsuolmcy/CHrlHo/sBcM4X6b/vn/uBSCnyfByrgfNdmgvGm/9GJSTRx6ZLMN4sfHLiyeD6u/X2w3zoYn0Wa+XuBiN7T/Pupw3WcFFuHpkMnbsrpM03TVGOKeK/X6SMhcK5QlRuW1BeyVFZcqr2PsTPJOH+mnhUXQw9+vY9YbcvG4x3P5GQFXfJKkSYP9s1XBNemeYwK5rk2hzgmJzdlDNVgfk6ELKaph28MCbpVsnvOwQmS71l4JwaA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=D100EoirF53gLOoxK2dSSeodN5W3M2fdXyQ94luOEmkZYGz569t/G4Mqq1ktOVj+aayE8HAMMeszIoWRYRVqgWyBbP68p5qsGiWN5b/he5PfnO3Ryuw9+hLKaYu0FSR40Mz1u28mpOEFP1QfTQgnVE6ihzkMi4Q0Nl16PRHG66dfCa9WUmB1mrBNtArsAIi81fYvmNzmSpRiWvvqhhSv8bl//tmsGiB93zB3bSkpHQkixWoX0/Zd7EVrjodAQYzWJTZj0GoKE8qQnOzNdWSfGa8AD2YExJemYZfiNW5e56Bg/VtQ8WXVA68vfhQnP7di2+lHD3S1JNFmPKZDhERgNw==

Ive got something working here and I can picture moving some options into the container.  Are you planning on running apache, shib, and tomee?  Will you have SSL in the container or outside?  Are you ok that the user running the processes in the container can read private keys (e.g. the tomee user could read shib and apache keys)?


Seems like we should pass in some ARGS to the container: uid/user/gid/group to run as, and if those are set, the grouper container would chown and allow apache to listen on 443.  Would that cover it?









From: On Behalf Of Darren Boss
Sent: Monday, April 27, 2020 7:52 AM
To: Oliver Trieu <>
Cc: Scott Koranda <>;
Subject: Re: [grouper-users] Openshift Deployment


Well, the Grouper image isn't one process per container. If you do shib then you have Tomee, Shibd and Apache all running together and configured to run under different user processes. I'll do a ps from the running container later today. I had some other issues with the UI under which I think I've finally been able to solve that stems from the way the http connection get proxied to the container in my setup (Nginx L4 LB -> Nginx Ingress -> NodePort Service -> Pod) which took a couple days of poking at to get working. I believe it's related to the CRSF proectections and some other mangling of http headers.


On Mon, Apr 27, 2020, 6:10 AM Oliver Trieu <> wrote:

Dear Darren,


could you elaborate on what kind or problems you expect with runAsUser in a Pod?

I am currently running our test instance of grouper 2.4 on Openshift and so far i did not encounter issue.

Is there an easy way to specifically test for this?


Kind Regards



On 22.04.20 16:31, Darren Boss wrote:

That may not be good enough for the Openshift case but since I haven't used Openshift I can't say for sure.


I'm not sure about dropping privileges. It seems like a step in the right direction but I'm not sure what happens when combined with specifying security contexts in the pod (runAsUser). I'd be willing to do a bit of digging or run some tests on a test cluster if that was of interest.


I'm still ramping up my knowledge on the security side of running services under Kubernetes.


On Wed, Apr 22, 2020 at 9:50 AM Scott Koranda <> wrote:


Just a clarifying question...

Would you find it acceptable for the container to start running as root
and then drop privileges later to a non-privileged user, or is your
requirement that the container never need any root privileges at all?

Asking for a friend...


Scott K

> Even if not running under Openshift and just upstream Kubernetes, please
> retool the Docker images to not run as root (this applies to the other TAP
> images as well).
> Containers are not vms and unless you are running with uid
> translation/mapping in place, the grouper process would be running at root
> on the system as well. From what I've read, running within a user namespace
> and remapping uids can impart a performance penalty.
> On Wed, Apr 22, 2020 at 3:22 AM Oliver Trieu <>
> wrote:
> > Dear Grouper Team,
> >
> >
> > I think its great that Grouper is now running on containers.
> >
> > This is definitely a step in the right direction.
> >
> > I was wondering if you could prepare your Container Image to run on the
> > Openshift Platform.
> >
> > The issue here is that the current Image wants to run as the root user.
> >
> > It would be great if you could run it as an unpriviledged user.
> >
> >
> > Is it possible to obtaiin the Dockerfiles you used to create the images?
> >
> >
> > Kind Regards
> >
> >
> > Oliver
> >
> >
> >
> >
> >
> --
> Darren Boss
> Senior Programmer/Analyst
> Programmeur-analyste principal


Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal

Archive powered by MHonArc 2.6.19.

Top of Page