Closed avanide closed 4 months ago
The current values are part historical artifact (the adduser
command we used initially chose these values) and part compatibility (users now have state on-disk which is likely already owned by this uid/gid).
This is honestly the first time I've heard of a recommendation to use values higher than 10000 though -- that seems weird? Anything non-root should be pretty reasonable, especially coupled with no-new-privileges
.
One thing we do try to do is make sure images can run as any arbitrary UID/GID (given appropriate pre-configured directory permissions), which makes this easier for users to tweak/adjust at runtime to match whatever policies/threat models they might have which differ from our general purpose defaults.
Hi Tianon,
Thanks for the reply. We use SAST and tools such as Trivy complains about that. The reasoning is the one on the third links provided: "If a process attempts to escalate privilege outside of the namespace, the process is running as an unprivileged high-number UID on the host, not mapped to a real user. This means the process has no privileges on the host system and cannot be attacked by this method." Applying this best practice reduces the likelihood that, if the container is compromised, the attacker could escalate on the host. This weakness is not classified as "critical" or "high": it is either medium or low depending on the SAST tool in use. It is part of "defense in depth".
I understand it will be difficult to change without breaking your current userbase and that, we should adapt the UID/GID ourselves.
In cases like these, I like to see how other popular software projects behave.
@tianon frankly I think this issue can be closed.
As long as you confirmed we can tweak the uid/gid at runtime (as tianon wrote), I would agree.
As long as you confirmed we can tweak the uid/gid at runtime (as tianon wrote), I would agree.
No, you (or someone else who cares about this) would have to submit a PR to add that feature.
Here is why I am closing the issue:
@avanide you seem to be on a crusade with regard to this issue (link). It is generally considered rude to spam several projects with the same request if you are unwilling to put the effort into making the requested changes yourself, or paying to have them done.
Finally, according to this issue, using a different user/group should be supported. @avanide it is up to you to provide a way to demonstrate that this is not working as intended. If you do, I will re-open this issue.
@lukebakken Sorry, my intend was not to be on a crusade: my apologize if it was seen like that. Regarding Zookeeper, my thought was just that both projects are independent and I would not expect one to watch the other. We use both on one of our projects and informing the projects of that practices (revealed by security tools) seems a collaborative effort. Sorry if it was not interpreted like that.
We can fix it using the guidance. I was just thinking that getting the best practice by default was better for every user. But I understand your position, that's fine :)
getting the best practice by default
I am not convinced that the recommendations of a couple security tools should be considered "best practices". If using different UID/GID values by default truly were "best practices", I would expect to see it in use in the projects to which I linked.
$ docker run -it --rm --user 12345:12345 --pull=always rabbitmq
latest: Pulling from library/rabbitmq
Digest: sha256:887813c17fd5a130fba5fb8f61e2f74b3feb58567fc037367ccf3341b4068de9
Status: Image is up to date for rabbitmq:latest
2024-07-08 17:50:57.943043+00:00 [notice] <0.44.0> Application syslog exited with reason: stopped
2024-07-08 17:50:57.946486+00:00 [notice] <0.254.0> Logging: switching to configured handler(s); following messages may not be visible in this log output
2024-07-08 17:50:57.946987+00:00 [notice] <0.254.0> Logging: configured log handlers are now ACTIVE
2024-07-08 17:50:57.951935+00:00 [info] <0.254.0> ra: starting system quorum_queues
2024-07-08 17:50:57.952025+00:00 [info] <0.254.0> starting Ra system: quorum_queues in directory: /var/lib/rabbitmq/mnesia/rabbit@a79c36b4bf6c/quorum/rabbit@a79c36b4bf6c
2024-07-08 17:50:58.005315+00:00 [info] <0.268.0> ra system 'quorum_queues' running pre init for 0 registered servers
2024-07-08 17:50:58.010087+00:00 [info] <0.269.0> ra: meta data store initialised for system quorum_queues. 0 record(s) recovered
2024-07-08 17:50:58.016561+00:00 [notice] <0.274.0> WAL: ra_log_wal init, open tbls: ra_log_open_mem_tables, closed tbls: ra_log_closed_mem_tables
2024-07-08 17:50:58.023401+00:00 [info] <0.254.0> ra: starting system coordination
2024-07-08 17:50:58.023444+00:00 [info] <0.254.0> starting Ra system: coordination in directory: /var/lib/rabbitmq/mnesia/rabbit@a79c36b4bf6c/coordination/rabbit@a79c36b4bf6c
2024-07-08 17:50:58.023956+00:00 [info] <0.282.0> ra system 'coordination' running pre init for 0 registered servers
2024-07-08 17:50:58.024289+00:00 [info] <0.283.0> ra: meta data store initialised for system coordination. 0 record(s) recovered
2024-07-08 17:50:58.024400+00:00 [notice] <0.288.0> WAL: ra_coordination_log_wal init, open tbls: ra_coordination_log_open_mem_tables, closed tbls: ra_coordination_log_closed_mem_tables
2024-07-08 17:50:58.026599+00:00 [info] <0.254.0> ra: starting system coordination
2024-07-08 17:50:58.026650+00:00 [info] <0.254.0> starting Ra system: coordination in directory: /var/lib/rabbitmq/mnesia/rabbit@a79c36b4bf6c/coordination/rabbit@a79c36b4bf6c
2024-07-08 17:50:58.081067+00:00 [info] <0.254.0> Waiting for Khepri leader for 30000 ms, 9 retries left
2024-07-08 17:50:58.085921+00:00 [notice] <0.292.0> RabbitMQ metadata store: candidate -> leader in term: 1 machine version: 0
2024-07-08 17:50:58.090298+00:00 [info] <0.254.0> Khepri leader elected
2024-07-08 17:50:58.284986+00:00 [info] <0.254.0>
2024-07-08 17:50:58.284986+00:00 [info] <0.254.0> Starting RabbitMQ 3.13.4 on Erlang 26.2.5.1 [jit]
2024-07-08 17:50:58.284986+00:00 [info] <0.254.0> Copyright (c) 2007-2024 Broadcom Inc and/or its subsidiaries
2024-07-08 17:50:58.284986+00:00 [info] <0.254.0> Licensed under the MPL 2.0. Website: https://rabbitmq.com
## ## RabbitMQ 3.13.4
## ##
########## Copyright (c) 2007-2024 Broadcom Inc and/or its subsidiaries
###### ##
########## Licensed under the MPL 2.0. Website: https://rabbitmq.com
Erlang: 26.2.5.1 [jit]
TLS Library: OpenSSL - OpenSSL 3.1.6 4 Jun 2024
Release series support status: see https://www.rabbitmq.com/release-information
Doc guides: https://www.rabbitmq.com/docs
Support: https://www.rabbitmq.com/docs/contact
Tutorials: https://www.rabbitmq.com/tutorials
Monitoring: https://www.rabbitmq.com/docs/monitoring
Upgrading: https://www.rabbitmq.com/docs/upgrade
Logs: <stdout>
Config file(s): /etc/rabbitmq/conf.d/10-defaults.conf
/etc/rabbitmq/conf.d/20-management_agent.disable_metrics_collector.conf
Starting broker...2024-07-08 17:50:58.285851+00:00 [info] <0.254.0>
2024-07-08 17:50:58.285851+00:00 [info] <0.254.0> node : rabbit@a79c36b4bf6c
2024-07-08 17:50:58.285851+00:00 [info] <0.254.0> home dir : /var/lib/rabbitmq
2024-07-08 17:50:58.285851+00:00 [info] <0.254.0> config file(s) : /etc/rabbitmq/conf.d/10-defaults.conf
2024-07-08 17:50:58.285851+00:00 [info] <0.254.0> : /etc/rabbitmq/conf.d/20-management_agent.disable_metrics_collector.conf
2024-07-08 17:50:58.285851+00:00 [info] <0.254.0> cookie hash : RIeXcaphnc2hpjKkkfxx3A==
2024-07-08 17:50:58.285851+00:00 [info] <0.254.0> log(s) : <stdout>
2024-07-08 17:50:58.285851+00:00 [info] <0.254.0> data dir : /var/lib/rabbitmq/mnesia/rabbit@a79c36b4bf6c
2024-07-08 17:50:58.417260+00:00 [info] <0.254.0> Running boot step pre_boot defined by app rabbit
2024-07-08 17:50:58.417312+00:00 [info] <0.254.0> Running boot step rabbit_global_counters defined by app rabbit
2024-07-08 17:50:58.417497+00:00 [info] <0.254.0> Running boot step rabbit_osiris_metrics defined by app rabbit
2024-07-08 17:50:58.417573+00:00 [info] <0.254.0> Running boot step rabbit_core_metrics defined by app rabbit
2024-07-08 17:50:58.418209+00:00 [info] <0.254.0> Running boot step rabbit_alarm defined by app rabbit
2024-07-08 17:50:58.423281+00:00 [info] <0.329.0> Memory high watermark set to 25570 MiB (26813069721 bytes) of 63927 MiB (67032674304 bytes) total
2024-07-08 17:50:58.424809+00:00 [info] <0.331.0> Enabling free disk space monitoring (disk free space: 627325526016, total memory: 67032674304)
2024-07-08 17:50:58.424851+00:00 [info] <0.331.0> Disk free limit set to 50MB
2024-07-08 17:50:58.425804+00:00 [info] <0.254.0> Running boot step code_server_cache defined by app rabbit
2024-07-08 17:50:58.425865+00:00 [info] <0.254.0> Running boot step file_handle_cache defined by app rabbit
2024-07-08 17:50:58.429212+00:00 [info] <0.334.0> Limiting to approx 1048479 file handles (943629 sockets)
2024-07-08 17:50:58.429327+00:00 [info] <0.335.0> FHC read buffering: OFF
2024-07-08 17:50:58.429365+00:00 [info] <0.335.0> FHC write buffering: ON
2024-07-08 17:50:58.429561+00:00 [info] <0.254.0> Running boot step worker_pool defined by app rabbit
2024-07-08 17:50:58.429611+00:00 [info] <0.315.0> Will use 16 processes for default worker pool
2024-07-08 17:50:58.429647+00:00 [info] <0.315.0> Starting worker pool 'worker_pool' with 16 processes in it
2024-07-08 17:50:58.430130+00:00 [info] <0.254.0> Running boot step database defined by app rabbit
2024-07-08 17:50:58.430314+00:00 [info] <0.254.0> Peer discovery: configured backend: rabbit_peer_discovery_classic_config
2024-07-08 17:50:58.430820+00:00 [notice] <0.316.0> Feature flags: attempt to enable `quorum_queue_non_voters`...
2024-07-08 17:50:58.502546+00:00 [notice] <0.316.0> Feature flags: `quorum_queue_non_voters` enabled
2024-07-08 17:50:58.502727+00:00 [notice] <0.316.0> Feature flags: attempt to enable `stream_update_config_command`...
2024-07-08 17:50:58.571334+00:00 [notice] <0.316.0> Feature flags: `stream_update_config_command` enabled
2024-07-08 17:50:58.571460+00:00 [notice] <0.316.0> Feature flags: attempt to enable `stream_filtering`...
2024-07-08 17:50:58.638490+00:00 [notice] <0.316.0> Feature flags: `stream_filtering` enabled
2024-07-08 17:50:58.638598+00:00 [notice] <0.316.0> Feature flags: attempt to enable `stream_sac_coordinator_unblock_group`...
2024-07-08 17:50:58.705504+00:00 [notice] <0.316.0> Feature flags: `stream_sac_coordinator_unblock_group` enabled
2024-07-08 17:50:58.705603+00:00 [notice] <0.316.0> Feature flags: attempt to enable `restart_streams`...
2024-07-08 17:50:58.772189+00:00 [notice] <0.316.0> Feature flags: `restart_streams` enabled
2024-07-08 17:50:58.772285+00:00 [notice] <0.316.0> Feature flags: attempt to enable `message_containers`...
2024-07-08 17:50:58.837268+00:00 [notice] <0.316.0> Feature flags: `message_containers` enabled
2024-07-08 17:50:58.837362+00:00 [notice] <0.316.0> Feature flags: attempt to enable `message_containers_deaths_v2`...
2024-07-08 17:50:58.904330+00:00 [notice] <0.316.0> Feature flags: `message_containers_deaths_v2` enabled
2024-07-08 17:50:58.904499+00:00 [info] <0.254.0> DB: virgin node -> run peer discovery
2024-07-08 17:50:58.911394+00:00 [notice] <0.44.0> Application mnesia exited with reason: stopped
2024-07-08 17:50:59.005968+00:00 [info] <0.254.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2024-07-08 17:50:59.006124+00:00 [info] <0.254.0> Successfully synced tables from a peer
2024-07-08 17:50:59.006200+00:00 [info] <0.254.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2024-07-08 17:50:59.006279+00:00 [info] <0.254.0> Successfully synced tables from a peer
2024-07-08 17:50:59.011500+00:00 [info] <0.254.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2024-07-08 17:50:59.011570+00:00 [info] <0.254.0> Successfully synced tables from a peer
2024-07-08 17:50:59.011673+00:00 [info] <0.254.0> Running boot step tracking_metadata_store defined by app rabbit
2024-07-08 17:50:59.011746+00:00 [info] <0.563.0> Setting up a table for connection tracking on this node: tracked_connection
2024-07-08 17:50:59.011800+00:00 [info] <0.563.0> Setting up a table for per-vhost connection counting on this node: tracked_connection_per_vhost
2024-07-08 17:50:59.011850+00:00 [info] <0.563.0> Setting up a table for per-user connection counting on this node: tracked_connection_per_user
2024-07-08 17:50:59.011912+00:00 [info] <0.563.0> Setting up a table for channel tracking on this node: tracked_channel
2024-07-08 17:50:59.011950+00:00 [info] <0.563.0> Setting up a table for channel tracking on this node: tracked_channel_per_user
2024-07-08 17:50:59.012005+00:00 [info] <0.254.0> Running boot step networking_metadata_store defined by app rabbit
2024-07-08 17:50:59.012072+00:00 [info] <0.254.0> Running boot step feature_flags defined by app rabbit
2024-07-08 17:50:59.012159+00:00 [info] <0.254.0> Running boot step codec_correctness_check defined by app rabbit
2024-07-08 17:50:59.012192+00:00 [info] <0.254.0> Running boot step external_infrastructure defined by app rabbit
2024-07-08 17:50:59.012225+00:00 [info] <0.254.0> Running boot step rabbit_event defined by app rabbit
2024-07-08 17:50:59.012313+00:00 [info] <0.254.0> Running boot step rabbit_registry defined by app rabbit
2024-07-08 17:50:59.012383+00:00 [info] <0.254.0> Running boot step rabbit_auth_mechanism_amqplain defined by app rabbit
2024-07-08 17:50:59.012447+00:00 [info] <0.254.0> Running boot step rabbit_auth_mechanism_cr_demo defined by app rabbit
2024-07-08 17:50:59.012505+00:00 [info] <0.254.0> Running boot step rabbit_auth_mechanism_plain defined by app rabbit
2024-07-08 17:50:59.012551+00:00 [info] <0.254.0> Running boot step rabbit_exchange_type_direct defined by app rabbit
2024-07-08 17:50:59.012617+00:00 [info] <0.254.0> Running boot step rabbit_exchange_type_fanout defined by app rabbit
2024-07-08 17:50:59.012663+00:00 [info] <0.254.0> Running boot step rabbit_exchange_type_headers defined by app rabbit
2024-07-08 17:50:59.012705+00:00 [info] <0.254.0> Running boot step rabbit_exchange_type_topic defined by app rabbit
2024-07-08 17:50:59.012753+00:00 [info] <0.254.0> Running boot step rabbit_mirror_queue_mode_all defined by app rabbit
2024-07-08 17:50:59.012808+00:00 [info] <0.254.0> Running boot step rabbit_mirror_queue_mode_exactly defined by app rabbit
2024-07-08 17:50:59.012846+00:00 [info] <0.254.0> Running boot step rabbit_mirror_queue_mode_nodes defined by app rabbit
2024-07-08 17:50:59.012886+00:00 [info] <0.254.0> Running boot step rabbit_priority_queue defined by app rabbit
2024-07-08 17:50:59.012919+00:00 [info] <0.254.0> Priority queues enabled, real BQ is rabbit_variable_queue
2024-07-08 17:50:59.012989+00:00 [info] <0.254.0> Running boot step rabbit_queue_location_client_local defined by app rabbit
2024-07-08 17:50:59.013046+00:00 [info] <0.254.0> Running boot step rabbit_queue_location_min_masters defined by app rabbit
2024-07-08 17:50:59.013106+00:00 [info] <0.254.0> Running boot step rabbit_queue_location_random defined by app rabbit
2024-07-08 17:50:59.013172+00:00 [info] <0.254.0> Running boot step kernel_ready defined by app rabbit
2024-07-08 17:50:59.013215+00:00 [info] <0.254.0> Running boot step rabbit_sysmon_minder defined by app rabbit
2024-07-08 17:50:59.013344+00:00 [info] <0.254.0> Running boot step rabbit_epmd_monitor defined by app rabbit
2024-07-08 17:50:59.013738+00:00 [info] <0.571.0> epmd monitor knows us, inter-node communication (distribution) port: 25672
2024-07-08 17:50:59.013826+00:00 [info] <0.254.0> Running boot step guid_generator defined by app rabbit
2024-07-08 17:50:59.016146+00:00 [info] <0.254.0> Running boot step rabbit_node_monitor defined by app rabbit
2024-07-08 17:50:59.016299+00:00 [info] <0.575.0> Starting rabbit_node_monitor (in ignore mode)
2024-07-08 17:50:59.016386+00:00 [info] <0.254.0> Running boot step delegate_sup defined by app rabbit
2024-07-08 17:50:59.016773+00:00 [info] <0.254.0> Running boot step rabbit_memory_monitor defined by app rabbit
2024-07-08 17:50:59.016921+00:00 [info] <0.254.0> Running boot step rabbit_fifo_dlx_sup defined by app rabbit
2024-07-08 17:50:59.016998+00:00 [info] <0.254.0> Running boot step core_initialized defined by app rabbit
2024-07-08 17:50:59.017026+00:00 [info] <0.254.0> Running boot step rabbit_channel_tracking_handler defined by app rabbit
2024-07-08 17:50:59.017082+00:00 [info] <0.254.0> Running boot step rabbit_connection_tracking_handler defined by app rabbit
2024-07-08 17:50:59.017123+00:00 [info] <0.254.0> Running boot step rabbit_definitions_hashing defined by app rabbit
2024-07-08 17:50:59.017188+00:00 [info] <0.254.0> Running boot step rabbit_exchange_parameters defined by app rabbit
2024-07-08 17:50:59.035858+00:00 [info] <0.254.0> Running boot step rabbit_mirror_queue_misc defined by app rabbit
2024-07-08 17:50:59.036298+00:00 [info] <0.254.0> Running boot step rabbit_policies defined by app rabbit
2024-07-08 17:50:59.036564+00:00 [info] <0.254.0> Running boot step rabbit_policy defined by app rabbit
2024-07-08 17:50:59.036630+00:00 [info] <0.254.0> Running boot step rabbit_queue_location_validator defined by app rabbit
2024-07-08 17:50:59.036681+00:00 [info] <0.254.0> Running boot step rabbit_quorum_memory_manager defined by app rabbit
2024-07-08 17:50:59.036731+00:00 [info] <0.254.0> Running boot step rabbit_quorum_queue defined by app rabbit
2024-07-08 17:50:59.036824+00:00 [info] <0.254.0> Running boot step rabbit_stream_coordinator defined by app rabbit
2024-07-08 17:50:59.036895+00:00 [info] <0.254.0> Running boot step rabbit_vhost_limit defined by app rabbit
2024-07-08 17:50:59.036946+00:00 [info] <0.254.0> Running boot step rabbit_federation_parameters defined by app rabbitmq_federation
2024-07-08 17:50:59.037045+00:00 [info] <0.254.0> Running boot step rabbit_federation_supervisor defined by app rabbitmq_federation
2024-07-08 17:50:59.040947+00:00 [info] <0.254.0> Running boot step rabbit_federation_queue defined by app rabbitmq_federation
2024-07-08 17:50:59.041055+00:00 [info] <0.254.0> Running boot step rabbit_federation_upstream_exchange defined by app rabbitmq_federation
2024-07-08 17:50:59.041134+00:00 [info] <0.254.0> Running boot step rabbit_mgmt_db_handler defined by app rabbitmq_management_agent
2024-07-08 17:50:59.041174+00:00 [info] <0.254.0> Management plugin: using rates mode 'basic'
2024-07-08 17:50:59.041313+00:00 [info] <0.254.0> Running boot step recovery defined by app rabbit
2024-07-08 17:50:59.049370+00:00 [info] <0.254.0> Running boot step empty_db_check defined by app rabbit
2024-07-08 17:50:59.049434+00:00 [info] <0.254.0> Will seed default virtual host and user...
2024-07-08 17:50:59.049513+00:00 [info] <0.254.0> Adding vhost '/' (description: 'Default virtual host', tags: [])
2024-07-08 17:50:59.066571+00:00 [info] <0.635.0> Making sure data directory '/var/lib/rabbitmq/mnesia/rabbit@a79c36b4bf6c/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L' for vhost '/' exists
2024-07-08 17:50:59.067089+00:00 [info] <0.635.0> Setting segment_entry_count for vhost '/' with 0 queues to '2048'
2024-07-08 17:50:59.073301+00:00 [info] <0.635.0> Starting message stores for vhost '/'
2024-07-08 17:50:59.073454+00:00 [info] <0.644.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_transient": using rabbit_msg_store_ets_index to provide index
2024-07-08 17:50:59.074072+00:00 [info] <0.635.0> Started message store of type transient for vhost '/'
2024-07-08 17:50:59.074207+00:00 [info] <0.648.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent": using rabbit_msg_store_ets_index to provide index
2024-07-08 17:50:59.074488+00:00 [warning] <0.648.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent": rebuilding indices from scratch
2024-07-08 17:50:59.074922+00:00 [info] <0.635.0> Started message store of type persistent for vhost '/'
2024-07-08 17:50:59.075007+00:00 [info] <0.635.0> Recovering 0 queues of type rabbit_classic_queue took 7ms
2024-07-08 17:50:59.075053+00:00 [info] <0.635.0> Recovering 0 queues of type rabbit_quorum_queue took 0ms
2024-07-08 17:50:59.075084+00:00 [info] <0.635.0> Recovering 0 queues of type rabbit_stream_queue took 0ms
2024-07-08 17:50:59.077992+00:00 [info] <0.254.0> Created user 'guest'
2024-07-08 17:50:59.079707+00:00 [info] <0.254.0> Successfully set user tags for user 'guest' to [administrator]
2024-07-08 17:50:59.081430+00:00 [info] <0.254.0> Successfully set permissions for user 'guest' in virtual host '/' to '.*', '.*', '.*'
2024-07-08 17:50:59.081489+00:00 [info] <0.254.0> Running boot step rabbit_observer_cli defined by app rabbit
2024-07-08 17:50:59.081580+00:00 [info] <0.254.0> Running boot step rabbit_looking_glass defined by app rabbit
2024-07-08 17:50:59.081633+00:00 [info] <0.254.0> Running boot step rabbit_core_metrics_gc defined by app rabbit
2024-07-08 17:50:59.081736+00:00 [info] <0.254.0> Running boot step background_gc defined by app rabbit
2024-07-08 17:50:59.081833+00:00 [info] <0.254.0> Running boot step routing_ready defined by app rabbit
2024-07-08 17:50:59.081863+00:00 [info] <0.254.0> Running boot step pre_flight defined by app rabbit
2024-07-08 17:50:59.081883+00:00 [info] <0.254.0> Running boot step notify_cluster defined by app rabbit
2024-07-08 17:50:59.081935+00:00 [info] <0.254.0> Running boot step networking defined by app rabbit
2024-07-08 17:50:59.081963+00:00 [info] <0.254.0> Running boot step rabbit_quorum_queue_periodic_membership_reconciliation defined by app rabbit
2024-07-08 17:50:59.082092+00:00 [info] <0.254.0> Running boot step definition_import_worker_pool defined by app rabbit
2024-07-08 17:50:59.082133+00:00 [info] <0.315.0> Starting worker pool 'definition_import_pool' with 16 processes in it
2024-07-08 17:50:59.082583+00:00 [info] <0.254.0> Running boot step cluster_name defined by app rabbit
2024-07-08 17:50:59.082638+00:00 [info] <0.254.0> Initialising internal cluster ID to 'rabbitmq-cluster-id-6fEwBATh5BVr2QpezgBhKA'
2024-07-08 17:50:59.084392+00:00 [info] <0.254.0> Running boot step virtual_host_reconciliation defined by app rabbit
2024-07-08 17:50:59.084498+00:00 [info] <0.254.0> Running boot step direct_client defined by app rabbit
2024-07-08 17:50:59.084565+00:00 [info] <0.254.0> Running boot step rabbit_federation_exchange defined by app rabbitmq_federation
2024-07-08 17:50:59.084728+00:00 [info] <0.697.0> Resetting node maintenance status
2024-07-08 17:51:00.467085+00:00 [info] <0.735.0> Prometheus metrics: HTTP (non-TLS) listener started on port 15692
2024-07-08 17:51:00.467221+00:00 [info] <0.697.0> Ready to start client connection listeners
2024-07-08 17:51:00.468224+00:00 [info] <0.779.0> started TCP listener on [::]:5672
completed with 4 plugins.
2024-07-08 17:51:00.512993+00:00 [info] <0.697.0> Server startup complete; 4 plugins started.
2024-07-08 17:51:00.512993+00:00 [info] <0.697.0> * rabbitmq_prometheus
2024-07-08 17:51:00.512993+00:00 [info] <0.697.0> * rabbitmq_federation
2024-07-08 17:51:00.512993+00:00 [info] <0.697.0> * rabbitmq_management_agent
2024-07-08 17:51:00.512993+00:00 [info] <0.697.0> * rabbitmq_web_dispatch
2024-07-08 17:51:00.696737+00:00 [info] <0.9.0> Time to start RabbitMQ: 4515 ms
(confirmed still working :+1:)
Hello, I'm contacting you regarding the docker image you provide and its default user uid and gid.
Problem statement: Status:
I noticed the different issues and the fact it seems supported:
Recommendation of security tools: Many security tools considers using a uid >= 10000 is recommended to reduce the likelihood of privilege escalation. Sources:
What I would expect: I would expect that the default uid/gid of the image is already pushing the recommended uid/gid (>= 10000). Is there anything that prevent us to use by default, these uids on both images? Why do we use 100/101 & 999/999 by default?