search

buildkite / agent

The Buildkite Agent is an open-source toolkit written in Go for securely running build jobs on any device or network
https://buildkite.com/
MIT License
804 stars 295 forks source link

Run docker container as non-root #1024

Open jradtilbrook opened 5 years ago

jradtilbrook commented 5 years ago

The docker image (alpine and ubuntu) runs as the root user by default which is a security risk. Would you consider changing to a less privileged user?

lox commented 5 years ago

Can you tell us a bit more about the context you are using the image in where you consider it a security risk?

It’s certainly something we’d consider, it just makes orchestration a lot more complicated, especially for docker with user namespacing enabled (which I’d consider the stronger security if I had to choose)

On 8 Jun 2019, at 12:46 pm, Jarryd Tilbrook notifications@github.com wrote:

The docker image (alpine and ubuntu) runs as the root user by default which is a security risk. Would you consider changing to a less privileged user?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

jradtilbrook commented 5 years ago

Sure! I'm using the Buildkite Helm chart to deploy an agent inside a Kubernetes cluster and using that agent to perform deploys of services inside the cluster using Helm. So I'm actually baking more binaries into the docker image and can change the user from there as well.

So the main reasoning is I just don't want any container running as root in the cluster. Especially since my use case doesn't mount the docker socket from the host and all pipeline commands are run directly from the agents' pod.

Since I'm extending the image anyway it's not necessary for my use case but thought it might be useful for others if it was the default.

Let me know what you think or if you need more info.

toolmantim commented 5 years ago

Related: https://github.com/buildkite/docker-buildkite-agent/pull/18

toolmantim commented 5 years ago

And https://github.com/buildkite/docker-buildkite-agent/pull/38

lox commented 5 years ago

So the main reasoning is I just don't want any container running as root in the cluster.

Why is that @jradtilbrook?

jradtilbrook commented 5 years ago

Oh thanks for posting those, I didn't think to look at the archived repo for existing issues.

Basically to add another layer of security. In case of an attack, the root user could install new packages to assist in an attack to expose other services etc within the cluster. So I just want to run the buildkite-agent binary and other binaries with a least-privilege user to reduce those risks.

lox commented 5 years ago

Thanks, that is good context. Makes sense! It's something we'll likely consider at some point in the future. Have been hoping Docker would fix a few more bugs around user namespacing first.

jradtilbrook commented 5 years ago

No worries!

caarlos0 commented 4 years ago

Another thing: if you need to run elasticsearch, for, say, integration tests, it won't start as root.

There may be other software with the same issues though.