Closed RJSzynal closed 4 years ago
Correct, you should avoid running containers as root. Make sure you use --user
to set a uid:gui or use the corresponding setting in your container orchestrator. The uid:gid you set needs to have read-write permissions to the persistent storage you setup.
Because of that relationship with storage, the container can't decide a default uid:gid.
I think I need to be much more clear about that in the README, so I'll take another shot at that.
Apologies if I'm teaching you to suck eggs but I don't know how much experience you have with containerisation. While it can be overridden at runtime, it is better to set correct safe defaults in the image. Running as a non-root user is high up in any best practices list you find so it's better for users who don't have a deep knowledge of containerisation technologies to set a default which is most likely to be correct for them. You have the entrypoint, volume, and ports set to sane defaults in the image so there's no reason not to do the same for the user.
I have created a PR to add this to the image: https://github.com/FoldingAtHome/containers/pull/6
@RJSzynal just use https://podman.io/ which is secure by default.
Much greater clarity on this has been added to both READMEs. The persistent storage and permissions have to be setup, ande must be matched with the uid:gid of the running container, and the config needs to be preloaded. --user
or equivalent is always required. There is no safe choice default to hardcode in.
Just firing off the container without following those steps will result in lost WU, misconfiguration, or the client exiting immediately.
TL;DR the setup steps aren't optional, it has to be setup like a database container.
It is best practice to run containers as a non-root user. This could be added to the design rules and is easily achieved by adding the following to the dockerfile:
After doing this users will need to change the ownership of their host fah volume as it will still be owned by root. This will be uid 1000 gid 1000