Security constraints on the use of operating system users in containers
Using operating system users in containers is not recommended, and is prohibited with the IBM MQ Operator.
In a multi-tenant containerized environment, security constraints are typically put in place to
prevent potential security issues, for example:
- Preventing use of the "root" user inside a container
- Forcing the use of a random UID. For example, in Red Hat® OpenShift® Container Platform the default
SecurityContextConstraints(calledrestricted) uses a randomized user ID for each container. - Preventing the use of privilege escalation. IBM® MQ on Linux® uses privilege escalation to check the passwords of users — it uses a "setuid" program so as to become the "root" user to do this.
![[OpenShift Container Platform]](ngocp.gif)
![[IBM Cloud Pak for Integration]](ngcp4i.gif)
To ensure compliance with these security measures, the IBM MQ Operator does not allow the use of IDs that are defined on the
operating system libraries inside a container. There is no mqm user ID or group
defined in the container.