search

carlossg / docker-maven

Official Docker image with Maven
Apache License 2.0
515 stars 422 forks source link

set default user to non-root #460

Open lkwg82 opened 3 months ago

lkwg82 commented 3 months ago

Runs the container as user different from root for security reasons.

See https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user

carlossg commented 3 months ago

thanks, this was brought up previously with the Docker official images maintainers and the answer was to keep the default user as root, unfortunately I cannot find the issue where this was brought up

lkwg82 commented 3 months ago

Here it is: https://github.com/carlossg/docker-maven/pull/8#issuecomment-151805689

This would mean any user runs as root or need to inherit from this image to run as non-root.

What about to make it secure by default and open to run as root? (inverse the current behaviour + docs)

carlossg commented 2 months ago

this comment here from official images mantainers https://github.com/docker-library/official-images/pull/690#issuecomment-97490517

lkwg82 commented 2 months ago

Hmm. Do you think of ur image rather a base image or an enduser image?

When you answer base image, I would offer to add an non-root image besides your base image.

carlossg commented 2 months ago

it is a base image, I could add a nonroot image, but would need to somehow be generated as I don't want to maintain 2x the images

jglick commented 1 month ago

Is there already some parameterization system in place which might allow this repo to publish an alternate set of tags that would switch to a nonroot user?

As it stands, this image is ~hard~ less than obvious how to use directly in a CI system which for example enforces K8s PSA at the restricted level. In Jenkins (edit as of https://github.com/jenkinsci/kubernetes-plugin/pull/1571):

podTemplate(yaml: '''
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: maven
    image: maven
    command:
    - sleep
    args:
    - infinity
    securityContext:
      runAsUser: 1000
    env:
    - name: MAVEN_OPTS
      value: -Duser.home=/home/jenkins/agent
''') {
    node(POD_LABEL) {
        git 'https://github.com/jglick/simple-maven-project-with-tests'
        container('maven') {
            sh 'mvn -B -ntp compile'
        }
    }
}

or if you prefer

podTemplate(containers: [containerTemplate(name: 'maven', image: 'maven', command: 'sleep', args: 'infinity', runAsUser: '1000', envVars: [envVar(key: 'MAVEN_OPTS', value: '-Duser.home=/home/jenkins/agent')])]) {
    // … as before
}
carlossg commented 1 month ago

There is some code generation here https://github.com/carlossg/docker-maven/blob/main/publish.sh#L19

Would need something to create new dies for the nonroot variants