-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update documentation, runas nonroot, enable WinRM negotiate authentication #8
base: master
Are you sure you want to change the base?
Conversation
Thank you for your contribution. I've just checked and your commit doesn't appear to be signed-off. That's something we need before your Pull Request can be merged. Please see our contributing guide. |
template/powershell-http/Dockerfile
Outdated
@@ -1,6 +1,6 @@ | |||
FROM openfaas/of-watchdog:0.7.2 as watchdog | |||
|
|||
FROM microsoft/powershell:ubuntu-xenial as ship | |||
FROM microsoft/powershell:centos-7 as ship |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did this change to CentOS?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The centos-7 image has working WinRM NTLM Negotiate authentication using gss-ntlmssp. This is not yet working in the ubuntu-xenial image. This allows one to indirectly execute ActiveDirectoy or GroupPolicy modules remotely.
template/powershell-http/Dockerfile
Outdated
|
||
ENV fprocess="pwsh ./server.ps1" | ||
ENV cgi_headers="true" | ||
ENV mode="http" | ||
ENV upstream_url="http://127.0.0.1:8082" | ||
|
||
EXPOSE 8080 | ||
|
||
HEALTHCHECK --interval=1s CMD [ -e /tmp/.lock ] || exit 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The 1s check could go up to 5s for instance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's only used by Swarm users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Increased to 3 to match csharp Dockerfiles below
Please see my note and the one from Derek too. https://github.com/openfaas/templates/blob/master/template/csharp/Dockerfile |
Seems vscode merges without signoff. Will it be a problem if not all the commits are signed? |
Also the Kubernetes Pod-Security-Policy MustRunAsNonRoot requires that the Dockerfile USER directive be defined as numeric UID and not username. MustRunAsNonRoot - Requires that the pod be submitted with a non-zero runAsUser or have the USER directive defined (using a numeric UID) in the image. Pods which have specified neither runAsNonRoot nor runAsUser settings will be mutated to set runAsNonRoot=true, thus requiring a defined non-zero numeric USER directive in the container. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups |
Yes both of those points will be a problem. Please squash all the commits into one, which is signed-off. Feel free to use a numeric user number as per the examples in openfaas/faas in the sample-functions folder. https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History Thank you for working on this template 👍 |
Signed-off-by: Gregory May <mrgregmay@gmail.com>
@alexellis commits have been squashed. When you get a gap could you review? |
Signed-off-by: Gregory May <mrgregmay@gmail.com>
@alexellis please review when you get a gap. |
Adds Powershell handler examples
Sets Dockerfile process to runas nonroot
Changes base image to centos-7 with gssntlmssp to enable WinRM PS Remoting using NTLM negotiate authentication
Fixes #6
Fixes #7