U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Linux Foundation CKS Exam - Topic 1 Question 38 Discussion

Analyze and edit the given DockerfileFROM ubuntu:latestRUN apt-get update -yRUN apt-install nginx -yCOPY entrypoint.sh /ENTRYPOINT ["/entrypoint.sh"]USER ROOTFixing two instructions present in the file being prominent security best practice issuesAnalyze and edit the deployment manifest fileapiVersion: v1kind: Podmetadata:name: security-context-demo-2spec:securityContext:runAsUser: 1000containers:- name: sec-ctx-demo-2image: gcr.io/google-samples/node-hello:1.0securityContext:runAsUser: 0privileged: TrueallowPrivilegeEscalation: falseFixing two fields present in the file being prominent security best practice issuesDon't add or remove configuration settings; only modify the existing configuration settingsWhenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487
A) Explanation: FROM debian:latest MAINTAINER k@bogotobogo.com # 1 - RUN RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop RUN apt-get clean # 2 - CMD #CMD ['htop'] #CMD ['ls', '-l'] # 3 - WORKDIR and ENV WORKDIR /root ENV DZ version1 $ docker image build -t bogodevops/demo . Sending build context to Docker daemon 3.072kB Step 1/7 : FROM debian:latest ---> be2868bebaba Step 2/7 : MAINTAINER k@bogotobogo.com ---> Using cache ---> e2eef476b3fd Step 3/7 : RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils ---> Using cache ---> 32fd044c1356 Step 4/7 : RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop ---> Using cache ---> 0a5b514a209e Step 5/7 : RUN apt-get clean ---> Using cache ---> 5d1578a47c17 Step 6/7 : WORKDIR /root ---> Using cache ---> 6b1c70e87675 Step 7/7 : ENV DZ version1 ---> Using cache ---> cd195168c5c7 Successfully built cd195168c5c7 Successfully tagged bogodevops/demo:latest

Linux Foundation CKS Exam - Topic 1 Question 38 Discussion

Actual exam question for Linux Foundation's CKS exam
Question #: 38
Topic #: 1
[All CKS Questions]

Analyze and edit the given Dockerfile

FROM ubuntu:latest

RUN apt-get update -y

RUN apt-install nginx -y

COPY entrypoint.sh /

ENTRYPOINT ["/entrypoint.sh"]

USER ROOT

Fixing two instructions present in the file being prominent security best practice issues

Analyze and edit the deployment manifest file

apiVersion: v1

kind: Pod

metadata:

name: security-context-demo-2

spec:

securityContext:

runAsUser: 1000

containers:

- name: sec-ctx-demo-2

image: gcr.io/google-samples/node-hello:1.0

securityContext:

runAsUser: 0

privileged: True

allowPrivilegeEscalation: false

Fixing two fields present in the file being prominent security best practice issues

Don't add or remove configuration settings; only modify the existing configuration settings

Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487

Show Suggested Answer Hide Answer
Suggested Answer: A

by Marjory at Jul 06, 2023, 12:12 PM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Jamal
7 months ago
Is it really necessary to use a specific user ID like 5487? Sounds odd.
upvoted 0 times
...
Denny
7 months ago
I think the `privileged: True` setting is a huge red flag.
upvoted 0 times
...
Orville
7 months ago
Wait, why is `runAsUser` set to 0 in the manifest? That's risky!
upvoted 0 times
...
Blondell
8 months ago
Totally agree, using `USER ROOT` is a bad practice!
upvoted 0 times
...
Hillary
8 months ago
The Dockerfile should use `apt-get install` instead of `apt-install`.
upvoted 0 times
...
Aileen
8 months ago
I think I’ve seen similar questions where we had to adjust security contexts, but I’m not clear on whether I should keep allowPrivilegeEscalation as false or change it based on the user ID.
upvoted 0 times
...
Reita
8 months ago
For the Kubernetes manifest, I recall we practiced changing the runAsUser to a non-zero value, but I’m not sure if I should set it to 5487 directly or just remove the privileged setting.
upvoted 0 times
...
Earleen
8 months ago
I’m a bit unsure about the apt-install command; I think it should be apt-get install instead. It seems like a common mistake in practice questions.
upvoted 0 times
...
Veronika
9 months ago
I remember we discussed the importance of using a non-root user in Dockerfiles to enhance security, so I think I need to change the USER ROOT line.
upvoted 0 times
...
Lasandra
9 months ago
Hmm, this seems like a tricky one. I know Tanzu Kubernetes Grid Service supports some CNI plugins, but I'm not totally sure which ones. I'll have to review my notes on that.
upvoted 0 times
...
Nell
9 months ago
Okay, let me think this through. The cases need to be organized by status, with Escalated first, then Active, then Closed. I'm pretty sure the States with conditions to filter by case status option is the way to go here.
upvoted 0 times
...
Bette
1 year ago
Well, well, well, looks like someone's got a penchant for playing with fire! 'apt-install' and 'USER ROOT'? Might as well just hand the keys to the kingdom over to the container and call it a day. And the deployment file? Privilege escalation and root access? Might as well just throw the whole server out the window and start over!
upvoted 0 times
Eladia
1 year ago
User 4: Definitely, those need to be fixed asap before any serious security breaches occur.
upvoted 0 times
...
Tuyet
1 year ago
User 3: And in the deployment manifest file, privilege escalation and root access? That's a disaster waiting to happen.
upvoted 0 times
...
Telma
1 year ago
User 2: I know, those are big no-nos. It's like giving full control to the container.
upvoted 0 times
...
Frederic
1 year ago
User 1: Yikes, 'apt-install' and 'USER ROOT' in the Dockerfile? That's a major security risk.
upvoted 0 times
...
...
Kindra
1 year ago
The Dockerfile needs to be fixed by correcting the 'apt-install' instruction and removing the 'USER ROOT' line. In the deployment manifest, the 'runAsUser: 0' and 'privileged: True' fields should be changed to use a non-root user for better security.
upvoted 0 times
Rusty
12 months ago
In the deployment manifest, we need to update 'runAsUser: 0' to use a non-root user.
upvoted 0 times
...
Kasandra
1 year ago
We should also remove the 'USER ROOT' line for security reasons.
upvoted 0 times
...
Hildegarde
1 year ago
Let's change 'apt-install' to 'apt-get install' in the Dockerfile.
upvoted 0 times
...
...
Allene
1 year ago
Haha, the Dockerfile is a real mess! 'apt-install'? Really? And running as root? Might as well just give the container the keys to the kingdom! As for the deployment file, oh boy, privilege escalation and root access? Might as well just hand over the entire server to the container!
upvoted 0 times
Chauncey
1 year ago
User 3: I agree, running as an unprivileged user with a specific user id is a much better approach.
upvoted 0 times
...
Mohammad
1 year ago
User 2: Absolutely, security best practices are essential. And that deployment manifest file is a disaster too.
upvoted 0 times
...
Helaine
1 year ago
User 1: Yeah, that Dockerfile needs some serious fixing. Running as root is a big no-no.
upvoted 0 times
...
...
Dianne
1 year ago
The deployment manifest file has some security issues. The 'runAsUser: 0' and 'privileged: True' fields give the container root privileges, which is not recommended for security reasons.
upvoted 0 times
...
Nathalie
1 year ago
I modified the Dockerfile to use debian:latest and added htop installation for better security.
upvoted 0 times
...
Felicidad
1 year ago
The first Dockerfile instruction has a typo in 'apt-install' instead of 'apt-get install'. Also, the 'USER ROOT' instruction is a security risk, it's better to run the container as a non-root user.
upvoted 0 times
Candra
1 year ago
User 2
upvoted 0 times
...
Roxane
1 year ago
User 1
upvoted 0 times
...
...
Lisha
1 year ago
I agree, it required careful analysis and editing to fix the security issues.
upvoted 0 times
...
Nathalie
1 year ago
I found the Dockerfile and deployment manifest file question tricky.
upvoted 0 times
...
Carmela
1 year ago
I believe modifying the deployment manifest file is also crucial for security. We need to fix those fields.
upvoted 0 times
...
Edda
1 year ago
I agree, we should analyze and edit the Dockerfile to ensure best security practices.
upvoted 0 times
...
Augustine
1 year ago
I think the Dockerfile needs to be edited to fix security issues.
upvoted 0 times
...

Save Cancel