-
Couldn't load subscription status.
- Fork 18
Add migration guide for v1.3.0 docker #1012
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+139
−2
Merged
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
02e7443
Add migration guide for v1.3.0 docker
phillipleblanc bb5edef
Update release blog to have a note on the sandbox breaking change
phillipleblanc 62217af
Review feedback
phillipleblanc 5a91668
Add section for debugging sandbox container
phillipleblanc 823134f
add reference to debugging
phillipleblanc File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| --- | ||
| title: 'Docker Sandbox Guide - v1.3.0' | ||
| description: 'Migrating to v1.3.0' | ||
| sidebar_label: 'Sandbox Guide - v1.3.0' | ||
| sidebar_position: 1 | ||
| tags: | ||
| - deployment | ||
| - docker | ||
| - sandbox | ||
| --- | ||
|
|
||
| ## v1.3.0 Docker Sandbox | ||
|
|
||
| In the v1.3.0 release, the Docker image changed the sandbox from a script that ran at startup, to being baked into the Docker image itself. Prior to this, the Docker image would start up as a root user, and then set up a sandbox user with restricted permissions before starting the Spice runtime in that restricted context. | ||
|
|
||
| Additionally, the Docker image includes no standard Linux tools like `bash`. | ||
|
|
||
| Starting with v1.3.0, the sandboxing logic is baked directly into the final Docker image, and the Docker image starts up as the sandbox user. | ||
|
|
||
| For most users, this change will be transparent. However, there are a few cases where an action is required to update. | ||
|
|
||
| ### Building a custom Docker image based on v1.3.0 | ||
|
|
||
| Building a custom Docker image based on v1.3.0 that installs additional dependencies will require using the `debian:bookworm-slim` base image and copying the `spiced` binary from the `spiceai/spiceai` image into the custom image. This approach can also be used to restore the previous behavior of including standard Linux tools like `bash`. | ||
|
|
||
| ```dockerfile | ||
| FROM debian:bookworm-slim | ||
|
|
||
| # Copy the spiced binary from the spiceai/spiceai image into the custom image. | ||
| COPY --from=spiceai/spiceai:v1.3.0 /usr/local/bin/spiced /usr/local/bin/spiced | ||
|
|
||
| # Install any additional dependencies needed for the image. | ||
| RUN apt update && apt install -y --no-install-recommends <your-dependencies> | ||
|
|
||
| # Any other customizations needed for the image. | ||
|
|
||
| WORKDIR /app | ||
|
|
||
| ENTRYPOINT ["/usr/local/bin/spiced"] | ||
| ``` | ||
|
|
||
| This will restore the previous behavior of starting as the root user and including standard Linux tools, like `bash`. | ||
|
|
||
| #### Running as a non-root user | ||
|
|
||
| Spice recommends that custom Docker images based on Spice run as a non-root user. i.e. | ||
|
|
||
| ```dockerfile | ||
| RUN addgroup -g 1001 -S sandboxgroup && adduser -u 1001 -S -G sandboxgroup sandbox | ||
| USER sandbox | ||
| ``` | ||
|
|
||
| This may require additional configuration of mounted volumes to ensure that the sandbox user has access to the necessary files. i.e. in Kubernetes, this requires adding a `securityContext` to the pod spec. | ||
|
|
||
| ```yaml | ||
| securityContext: | ||
| runAsUser: 1001 | ||
| runAsGroup: 1001 | ||
| # Tells Kubernetes to set the group of the files in the volume to sandboxgroup, | ||
| # which allows the sandbox user to access the files. | ||
| fsGroup: 1001 | ||
| ``` | ||
|
|
||
| :::note | ||
|
|
||
| The `fsGroup` directive does not work for all Kubernetes storage types. For example, it does not work for `hostPath` volumes. In this case, an init container can be used to set the group of the files in the volume. | ||
|
|
||
| ::: | ||
|
|
||
| ### Custom Kubernetes deployments | ||
|
|
||
| Kubernetes deployments that do not use the v1.3.0 Helm chart will need to add the following `securityContext` to their pod spec: | ||
|
|
||
| ```yaml | ||
| securityContext: | ||
| runAsUser: 65534 | ||
| runAsGroup: 65534 | ||
| fsGroup: 65534 | ||
| ``` | ||
|
|
||
| ### Debugging sandbox container | ||
|
|
||
| To debug issues with the sandbox container, see the [Debugging Sandbox Container](/docs/troubleshooting/index.md#debugging-sandbox-container) section of the troubleshooting guide. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.