Update documentation, runas nonroot, enable WinRM negotiate authentication #8
Conversation
|
Thank you for your contribution. I've just checked and your commit doesn't appear to be signed-off. That's something we need before your Pull Request can be merged. Please see our contributing guide. |
template/powershell-http/Dockerfile
Outdated
| @@ -1,6 +1,6 @@ | |||
| FROM openfaas/of-watchdog:0.7.2 as watchdog | |||
|
|
|||
| FROM microsoft/powershell:ubuntu-xenial as ship | |||
| FROM microsoft/powershell:centos-7 as ship | |||
There was a problem hiding this comment.
Why did this change to CentOS?
There was a problem hiding this comment.
The centos-7 image has working WinRM NTLM Negotiate authentication using gss-ntlmssp. This is not yet working in the ubuntu-xenial image. This allows one to indirectly execute ActiveDirectoy or GroupPolicy modules remotely.
template/powershell-http/Dockerfile
Outdated
|
|
||
| ENV fprocess="pwsh ./server.ps1" | ||
| ENV cgi_headers="true" | ||
| ENV mode="http" | ||
| ENV upstream_url="http://127.0.0.1:8082" | ||
|
|
||
| EXPOSE 8080 | ||
|
|
||
| HEALTHCHECK --interval=1s CMD [ -e /tmp/.lock ] || exit 1 |
There was a problem hiding this comment.
The 1s check could go up to 5s for instance.
There was a problem hiding this comment.
It's only used by Swarm users.
There was a problem hiding this comment.
Increased to 3 to match csharp Dockerfiles below
|
Please see my note and the one from Derek too. https://github.com/openfaas/templates/blob/master/template/csharp/Dockerfile |
|
Seems vscode merges without signoff. Will it be a problem if not all the commits are signed? |
|
Also the Kubernetes Pod-Security-Policy MustRunAsNonRoot requires that the Dockerfile USER directive be defined as numeric UID and not username. MustRunAsNonRoot - Requires that the pod be submitted with a non-zero runAsUser or have the USER directive defined (using a numeric UID) in the image. Pods which have specified neither runAsNonRoot nor runAsUser settings will be mutated to set runAsNonRoot=true, thus requiring a defined non-zero numeric USER directive in the container. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups |
Yes both of those points will be a problem. Please squash all the commits into one, which is signed-off. Feel free to use a numeric user number as per the examples in openfaas/faas in the sample-functions folder. https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History Thank you for working on this template 👍 |
Signed-off-by: Gregory May <[email protected]>
|
@alexellis commits have been squashed. When you get a gap could you review? |
Signed-off-by: Gregory May <[email protected]>
|
@alexellis please review when you get a gap. |
Adds Powershell handler examples
Sets Dockerfile process to runas nonroot
Changes base image to centos-7 with gssntlmssp to enable WinRM PS Remoting using NTLM negotiate authentication
Fixes #6
Fixes #7