Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update documentation, runas nonroot, enable WinRM negotiate authentication #8

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

MnrGreg
Copy link

@MnrGreg MnrGreg commented Oct 23, 2019

Adds Powershell handler examples
Sets Dockerfile process to runas nonroot
Changes base image to centos-7 with gssntlmssp to enable WinRM PS Remoting using NTLM negotiate authentication

Fixes #6
Fixes #7

@derek
Copy link

derek bot commented Oct 23, 2019

Thank you for your contribution. I've just checked and your commit doesn't appear to be signed-off. That's something we need before your Pull Request can be merged. Please see our contributing guide.
Tip: if you only have one commit so far then run: git commit --amend --signoff and then git push --force.

@@ -1,6 +1,6 @@
FROM openfaas/of-watchdog:0.7.2 as watchdog

FROM microsoft/powershell:ubuntu-xenial as ship
FROM microsoft/powershell:centos-7 as ship
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did this change to CentOS?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The centos-7 image has working WinRM NTLM Negotiate authentication using gss-ntlmssp. This is not yet working in the ubuntu-xenial image. This allows one to indirectly execute ActiveDirectoy or GroupPolicy modules remotely.


ENV fprocess="pwsh ./server.ps1"
ENV cgi_headers="true"
ENV mode="http"
ENV upstream_url="http://127.0.0.1:8082"

EXPOSE 8080

HEALTHCHECK --interval=1s CMD [ -e /tmp/.lock ] || exit 1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 1s check could go up to 5s for instance.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's only used by Swarm users.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Increased to 3 to match csharp Dockerfiles below

@alexellis
Copy link
Member

Please see my note and the one from Derek too.

https://github.com/openfaas/templates/blob/master/template/csharp/Dockerfile

@MnrGreg
Copy link
Author

MnrGreg commented Oct 24, 2019

Seems vscode merges without signoff. Will it be a problem if not all the commits are signed?

@MnrGreg
Copy link
Author

MnrGreg commented Oct 24, 2019

Also the Kubernetes Pod-Security-Policy MustRunAsNonRoot requires that the Dockerfile USER directive be defined as numeric UID and not username.

MustRunAsNonRoot - Requires that the pod be submitted with a non-zero runAsUser or have the USER directive defined (using a numeric UID) in the image. Pods which have specified neither runAsNonRoot nor runAsUser settings will be mutated to set runAsNonRoot=true, thus requiring a defined non-zero numeric USER directive in the container.

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups

@alexellis
Copy link
Member

Seems vscode merges without signoff. Will it be a problem if not all the commits are signed?

Yes both of those points will be a problem.

Please squash all the commits into one, which is signed-off. Feel free to use a numeric user number as per the examples in openfaas/faas in the sample-functions folder.

https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History
https://github.com/wprig/wprig/wiki/How-to-squash-commits

Thank you for working on this template 👍

Signed-off-by: Gregory May <mrgregmay@gmail.com>
@MnrGreg
Copy link
Author

MnrGreg commented Oct 28, 2019

@alexellis commits have been squashed. When you get a gap could you review?

Signed-off-by: Gregory May <mrgregmay@gmail.com>
@MnrGreg
Copy link
Author

MnrGreg commented Nov 18, 2019

@alexellis please review when you get a gap.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Modify Dockerfile to run as non root Provide examples in README.md
2 participants