faucet icon indicating copy to clipboard operation
faucet copied to clipboard
verified publisher icon faucetsdn

Docker images should run software as non-priviledged user

Open gizmoguy opened this issue 8 years ago • 7 comments

Currently our test and code dockers run all processes as root.

This leads to issues like #1388 because the docker environments aren't typical to real deployment scenarios.

There are some annoyances to running processes as a separate user (like which UID do you use?), I will investigate what the best practises are and update this ticket.

gizmoguy avatar Dec 11 '17 20:12 gizmoguy

I'd probably do something like this in the Dockerfiles:

RUN useradd -r -u 1001 -g faucet faucet
USER faucet

I'm happy to open a PR and test this out if you like.

cglewis avatar Dec 11 '17 20:12 cglewis

That's roughly it. I believe you want to expose an environment variable for allowing the user to override the UID (otherwise you have issues when you share a volume into the docker and the files come out with UIDs that the host system doesn't understand).

If you're happy to put together a PR for this that would certainly help me out!

gizmoguy avatar Dec 11 '17 20:12 gizmoguy

Yup, no problem. As for the environment variable, not sure that's necessary since you can do something like this:

docker run --user 1001 faucet:1.6.12

But happy to include it if necessary.

cglewis avatar Dec 11 '17 20:12 cglewis

Ahh yes true! We won't need the environment variable in that case.

Probably just need to update the commands in the documentation in docs/docker.rst

gizmoguy avatar Dec 11 '17 20:12 gizmoguy

I'm still working on this, but current implementation is running into a lot of issues. I think I'm going to change strategies and see if I can make something like this work instead: https://denibertovic.com/posts/handling-permissions-with-docker-volumes/

cglewis avatar Dec 12 '17 16:12 cglewis

Thanks for the update @cglewis unfortunately it looks like you are right, this problem still doesn't have an elegant solution (https://github.com/moby/moby/issues/7198).

I think whatever we do, we should run as root by default and only switch down to a regular user if the environment variable to change the UID exists, this will at least let us maintain backwards compatibility with the behavior of older faucet docker images.

gizmoguy avatar Dec 12 '17 18:12 gizmoguy

#1396 solves this in the general case.

We still need to do some more work to update the test suite to support not running as root.

I've started investigating this on my fork https://github.com/gizmoguy/faucet/tree/test-suite-non-root but code isn't very pretty at the moment and I break a number of test cases.

gizmoguy avatar Dec 14 '17 20:12 gizmoguy