Closed nateg-gladly closed 5 years ago
bethesque
commented
5 years ago I can't remember the full details of why it's the root user, but I think passenger needs root, from memory. Have a read of the documentation https://github.com/phusion/passenger-docker
I'll see if I can find the issue that explains why it's root.
mefellows
commented
5 years ago It should certainly be possible as the app user (passenger recommends it). I'm not sure why it was commented out, perhaps it's a regression/accident?
bethesque
commented
5 years ago Maybe the issue was that it needed root permissions for something else. I know there was something about the image that needed root. Try using app and see what happens @nateg-gladly
nateg-gladly
commented
5 years ago (Sorry for delayed response) OK I will give it a try in the next few weeks and report back. Thank you!
stt19
commented
5 years ago My team is also very interested in using Pact Broker, but due to security concerns do not want to run the application as root, especially as we move towards getting broker on Openshift. Would it be possible to release an image that doesn't need root?
And regarding the previous comments on running as app (or any non-root user for that matter), the container exits immediately upon being run with the error:
*** Killing all processes...
Traceback (most recent call last):
File "/sbin/my_init", line 414, in <module>
main(args)
File "/sbin/my_init", line 330, in main
import_envvars(False, False)
File "/sbin/my_init", line 88, in import_envvars
for envfile in listdir("/etc/container_environment"):
File "/sbin/my_init", line 72, in listdir
return sorted(os.listdir(path))
PermissionError: [Errno 13] Permission denied: '/etc/container_environment'I think it has to do with, as stated above, the phusion passenger base image. Even just a Dockerfile with the following contents will reproduce the same error as above when run:
FROM phusion/passenger-ruby24:1.0.0
USER app
patvong
commented
5 years ago @stt19 For openshift you might wanna look into this https://github.com/jaimeniswonger/pact-broker-openshift
I'm not using Openshift though and I have the same problem running as non-root (in my case I want to run on an kubernetes cluster with a security context set to run the pod as non-root). It is due to the phusion/passenger docker image that needs to run the /sbin/my_init as root.
bethesque
commented
5 years ago I've raised this issue here: https://github.com/phusion/passenger-docker/issues/250
I think we'll have to find a non-passenger solution to run as non-root, because I have a vague memory of seeing a big long thread about how it's impossible to start passenger as a non-root user because it needs to manage certain processes. However, I can't find that issue any more.
bethesque
commented
5 years ago Ah! I think it's nginx. https://stackoverflow.com/questions/42329261/running-nginx-as-non-root-user
Because: Only root processes can listen to ports below 1024. A webserver typically runs at port 80 and/or 443. That means it needs to be started as root.
bethesque
commented
5 years ago @stt19 Running on Openshift is already supported: https://github.com/DiUS/pact_broker-docker#running-with-openshift
Can I ask you to find out from your security team how they expect images to run web servers on the default ports without root permissions? I am confused as to how this can happen. Do you run all your servers on ports above 1024?
patvong
commented
5 years ago @bethesque About Nginx, you can setup the configuration file to listen to port 8080 and expose 8080 on the Dockerfile. See my commit here: https://github.com/patvong/pact-broker-docker/commit/a6524f3b61c2a1202556d421f2d9784f97a74840
bethesque
commented
5 years ago Maybe we can have a branch of the broker that runs on the different port.
YOU54F
commented
5 years ago with regards to @patvong's solution, you can map the exposed port of the pact broker in the docker-compose file, to port 80 externally
or map the port when you run via docker run
Looking into the issue, as to why we can't run as a non-root user. It appears to be with phusion-baseimage that passenger-docker is built upon, and the /sbin/my_init script that is called.
https://github.com/phusion/baseimage-docker/issues/264#issuecomment-162853995
The mention two things to get this to work
CMD ["/sbin/my_init","--","setuser","app","bash"]Change perms on /etc/container_environment https://github.com/phusion/baseimage-docker#security
# Make these world readable https://github.com/phusion/baseimage-docker#security
RUN chmod 755 /etc/container_environment
RUN chmod 644 /etc/container_environment.sh /etc/container_environment.jsonA working example taken from @bethesque's example app, replicating the issue. https://github.com/YOU54F/passenger-run-as-app/pull/1/files
Running as a non-root user means you lose cron / syslog / logrotate
here is another issue with running as non root on the heroku platform
bethesque
commented
5 years ago Ok, we've released a new version of the pact-broker docker image here: https://hub.docker.com/r/pactfoundation/pact-broker/tags
It now runs without root (and also uses alpine linux and puma instead of passenger phusion). If you'd like to give it a trial run and let me know how you go, that would be great.
We're interested in running the pact broker application as the
apprather thanrootuser in the Docker container. I looked into opening a PR but noticed that this maybe was already implemented based on the Dockerfile:appuser: https://github.com/DiUS/pact_broker-docker/blob/master/Dockerfile#L12appuser is commented out: https://github.com/DiUS/pact_broker-docker/blob/master/Dockerfile#L10Just wondering what the story is behind these changes, is the project interested in PRs to run as
apprather thanroot?Thank you!