Open jradtilbrook opened 5 years ago
Can you tell us a bit more about the context you are using the image in where you consider it a security risk?
It’s certainly something we’d consider, it just makes orchestration a lot more complicated, especially for docker with user namespacing enabled (which I’d consider the stronger security if I had to choose)
On 8 Jun 2019, at 12:46 pm, Jarryd Tilbrook notifications@github.com wrote:
The docker image (alpine and ubuntu) runs as the root user by default which is a security risk. Would you consider changing to a less privileged user?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
Sure! I'm using the Buildkite Helm chart to deploy an agent inside a Kubernetes cluster and using that agent to perform deploys of services inside the cluster using Helm. So I'm actually baking more binaries into the docker image and can change the user from there as well.
So the main reasoning is I just don't want any container running as root in the cluster. Especially since my use case doesn't mount the docker socket from the host and all pipeline commands are run directly from the agents' pod.
Since I'm extending the image anyway it's not necessary for my use case but thought it might be useful for others if it was the default.
Let me know what you think or if you need more info.
So the main reasoning is I just don't want any container running as root in the cluster.
Why is that @jradtilbrook?
Oh thanks for posting those, I didn't think to look at the archived repo for existing issues.
Basically to add another layer of security. In case of an attack, the root user could install new packages to assist in an attack to expose other services etc within the cluster. So I just want to run the buildkite-agent binary and other binaries with a least-privilege user to reduce those risks.
Thanks, that is good context. Makes sense! It's something we'll likely consider at some point in the future. Have been hoping Docker would fix a few more bugs around user namespacing first.
No worries!
Another thing: if you need to run elasticsearch, for, say, integration tests, it won't start as root.
There may be other software with the same issues though.
The docker image (alpine and ubuntu) runs as the root user by default which is a security risk. Would you consider changing to a less privileged user?