From d213d98c1944e86a3cfb843486c6ee8cedeba04b Mon Sep 17 00:00:00 2001 From: Jose Angel Morena Date: Wed, 31 Jan 2024 20:09:27 +0100 Subject: [PATCH] clarified /etc/passwd requirement when running images for CRI-O compatibility Signed-off-by: Jose Angel Morena --- modules/images-create-guide-openshift.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/images-create-guide-openshift.adoc b/modules/images-create-guide-openshift.adoc index 281ad8162b..a8c3352c9a 100644 --- a/modules/images-create-guide-openshift.adoc +++ b/modules/images-create-guide-openshift.adoc @@ -39,9 +39,9 @@ Because the container user is always a member of the root group, the container u [WARNING] ==== -Care must be taken when altering the directories and file permissions of sensitive areas of a container, which is no different than to a normal system. +Care must be taken when altering the directories and file permissions of the sensitive areas of a container. If applied to sensitive areas, such as the `/etc/passwd` file, such changes can allow the modification of these files by unintended users, potentially exposing the container or host. CRI-O supports the insertion of arbitrary user IDs into a container's `/etc/passwd` file. As such, changing permissions is never required. -If applied to sensitive areas, such as `/etc/passwd`, this can allow the modification of such files by unintended users potentially exposing the container or host. CRI-O supports the insertion of arbitrary user IDs into the container's `/etc/passwd`, so changing permissions is never required. +Additionally, the `/etc/passwd` file should not exist in any container image. If it does, the CRI-O container runtime will fail to inject a random UID into the `/etc/passwd` file. In such cases, the container might face challenges in resolving the active UID. Failing to meet this requirement could impact the functionality of certain containerized applications. ==== In addition, the processes running in the container must not listen on privileged ports, ports below 1024, since they are not running as a privileged user.