Skip to content

Commit bdeba41

Browse files
bmcelveebmcelvee
authored
Merge pull request #38266 from kelbrown20/updating-image-build-guidelines-1908066
BZ:1908066 - Updating image build guidelines
2 parents 339cb05 + f0701eb commit bdeba41

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

modules/images-create-guide-openshift.adoc

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,15 +40,15 @@ Because the container user is always a member of the root group, the container u
4040
====
4141
Care must be taken when altering the directories and file permissions of sensitive areas of a container, which is no different than to a normal system.
4242
43-
If applied to sensitive areas, such as `/etc/passwd`, this can allow the modification of such files by unintended users potentially exposing the container or host. CRI-O supports the insertion of random user IDs into the container's `/etc/passwd`, so changing permissions is never required.
43+
If applied to sensitive areas, such as `/etc/passwd`, this can allow the modification of such files by unintended users potentially exposing the container or host. CRI-O supports the insertion of arbitrary user IDs into the container's `/etc/passwd`, so changing permissions is never required.
4444
====
4545

4646
In addition, the processes running in the container must not listen on privileged ports, ports below 1024, since they are not running as a privileged user.
4747

4848
ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
4949
[IMPORTANT]
5050
====
51-
If your S2I image does not include a `USER` declaration with a numeric user, your builds fail by default. To allow images that use either named users or the root `0` user to build in {product-title}, you can add the project's builder service account, `system:serviceaccount:<your-project>:builder`, to the `privileged` security context constraint (SCC). Alternatively, you can allow all images to run as any user.
51+
If your S2I image does not include a `USER` declaration with a numeric user, your builds fail by default. To allow images that use either named users or the root `0` user to build in {product-title}, you can add the project's builder service account, `system:serviceaccount:<your-project>:builder`, to the `anyuid` security context constraint (SCC). Alternatively, you can allow all images to run as any user.
5252
====
5353
endif::[]
5454

0 commit comments

Comments
 (0)