search

FoldingAtHome / containers

Docker containers for easily launching the Folding@home client anywhere!
Creative Commons Zero v1.0 Universal
60 stars 20 forks source link

Images should run as non-root user #5

Closed RJSzynal closed 4 years ago

RJSzynal commented 4 years ago

It is best practice to run containers as a non-root user. This could be added to the design rules and is easily achieved by adding the following to the dockerfile:

# Add Folding user
RUN useradd -mG folding

# Run as non privileged user
USER folding

After doing this users will need to change the ownership of their host fah volume as it will still be owned by root. This will be uid 1000 gid 1000

beberg commented 4 years ago

Correct, you should avoid running containers as root. Make sure you use --user to set a uid:gui or use the corresponding setting in your container orchestrator. The uid:gid you set needs to have read-write permissions to the persistent storage you setup.

Because of that relationship with storage, the container can't decide a default uid:gid.

I think I need to be much more clear about that in the README, so I'll take another shot at that.

RJSzynal commented 4 years ago

Apologies if I'm teaching you to suck eggs but I don't know how much experience you have with containerisation. While it can be overridden at runtime, it is better to set correct safe defaults in the image. Running as a non-root user is high up in any best practices list you find so it's better for users who don't have a deep knowledge of containerisation technologies to set a default which is most likely to be correct for them. You have the entrypoint, volume, and ports set to sane defaults in the image so there's no reason not to do the same for the user.

I have created a PR to add this to the image: https://github.com/FoldingAtHome/containers/pull/6

abitrolly commented 4 years ago

@RJSzynal just use https://podman.io/ which is secure by default.

beberg commented 4 years ago

Much greater clarity on this has been added to both READMEs. The persistent storage and permissions have to be setup, ande must be matched with the uid:gid of the running container, and the config needs to be preloaded. --user or equivalent is always required. There is no safe choice default to hardcode in.

Just firing off the container without following those steps will result in lost WU, misconfiguration, or the client exiting immediately.

TL;DR the setup steps aren't optional, it has to be setup like a database container.