Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker user should not be root #995

Open
kelson42 opened this issue Oct 1, 2019 · 10 comments · May be fixed by #1321
Open

Docker user should not be root #995

kelson42 opened this issue Oct 1, 2019 · 10 comments · May be fixed by #1321
Assignees
@kelson42
Labels
bug enhancement good first issue
Milestone
2.1.0

Comments

@kelson42
Copy link
Collaborator

kelson42 commented Oct 1, 2019

This makes it otherwise impossible to use NFS on Wikimedia VPS as cache. On the top of this, this is a security recommendation.
@rgaudin
Copy link
Member

rgaudin commented Oct 1, 2019

You shall now create one such issue in every scraper 😬

@kelson42
Copy link
Collaborator Author

kelson42 commented Oct 1, 2019

@rgaudin yes... one problem at a time.

@stale
Copy link

stale bot commented Nov 30, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be now be reviewed manually. Thank you for your contributions.

@stale stale bot added the stale label Nov 30, 2019
@stale stale bot removed the stale label Dec 5, 2020
@kelson42
Copy link
Collaborator Author

kelson42 commented Dec 5, 2020

Easy to fix with this doc https://medium.com/better-programming/running-a-container-with-a-non-root-user-e35830d1f42a

@kelson42 kelson42 added this to the 1.12 milestone Dec 5, 2020
@kelson42 kelson42 linked a pull request Dec 6, 2020 that will close this issue
Open
@rgaudin
Copy link
Member

rgaudin commented Dec 17, 2020

@kelson42, this requires a strategy and coordination with the zimfarm to work because we share common resources across various containers.
In a zimfarm worker, we have, a root-folder, let's say /data on the host.

  • Manager needs
    • rw access to this to ensure it's writable so we fail early if not.
    • ro to calculate available disk space
  • Task Worker needs:
    • rw access to create its per-task workdir
    • rw access to remove it on cleanup
    • rw access to find and then remove ZIM files
    • ro to calculate available disk space
  • Scraper needs rw access to store temp data and ZIM files.

In order for this to work we can either:

  • use root everywhere and not care about permission (current behavior)
  • use non-root, set 777 permission on root dir and require all future files and folder to stick to everybody permissions. Seems unrealistic and fragile.
  • Use non-root on a coordinated uid.

This last option would mean hard-coding an arbitrary yet identical uid for the user to run inside all of the scrapers's dockerfile/entrypoint. We'd need each to be good citizen in not accidentally doing stuff as root (if using gosu).
There would be implications on the standalone (non-zimfarm) use of the scrapers' images as this arbitrary user might not have correct permissions on destination.

Note: we're using mounts on the host but using docker volumes would have the same constraints.

@stale
Copy link

stale bot commented Mar 20, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be now be reviewed manually. Thank you for your contributions.

@stale stale bot added the stale label Mar 20, 2021
@jakern
Copy link

jakern commented Jul 27, 2021

We wouldn't necessarily have to hard code it but could set the PUID & PGID with environment variables. See https://docs.linuxserver.io/general/understanding-puid-and-pgid. I still don't know how this works but it seems like it's set in their base image initd https://github.com/linuxserver/docker-baseimage-ubuntu/blob/bionic/root/etc/cont-init.d/10-adduser#L3

@stale stale bot removed the stale label Jul 27, 2021
@rgaudin
Copy link
Member

rgaudin commented Jul 27, 2021

You can also use docker run --user and specify either an uid or a username (that exists inside the container) and that would do it. Probably a good approach for our use case.

@stale
Copy link

stale bot commented Sep 26, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be now be reviewed manually. Thank you for your contributions.

@stale stale bot added the stale label Sep 26, 2021
@kelson42 kelson42 modified the milestones: 1.14.0_old, 1.13.0 Jan 20, 2023
@stale stale bot removed the stale label Jan 20, 2023
@kelson42 kelson42 modified the milestones: 1.13.0, 1.14.0 Mar 5, 2023
@stale
Copy link

stale bot commented May 26, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be now be reviewed manually. Thank you for your contributions.

@stale stale bot added the stale label May 26, 2023
@stale stale bot removed the stale label Aug 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kelson42 kelson42

Labels
bug enhancement good first issue
Projects
None yet
Milestone
2.1.0
Development

Successfully merging a pull request may close this issue.

Create dedicated Docker 'scraper' user openzim/mwoffliner
4 participants
@rgaudin @kelson42 @jakern @VadimKovalenkoSNF