Closed benjwadams closed 4 years ago
@benjwadams is this still an issue worth investigating while you're working in the Dockerfile?
Yes. It looks like the previous image, based upon "Phusion Baseimage", required root to run the init system it invoked. We are now using a CentOS 7 image, so it should be feasible to use a non-root user as long as any temporary storage for NetCDF files sent to the checker are writable by said user.
PS: If you really want to use an init system, docker run
always has the --init
argument so that you can still use an init system in an image which doesn't supply one by default.
Container should not be running as user root. This is doubly true as this service is designed to take untrusted binary user input and validate it, which opens a potential attack vector should the NetCDF libraries have a vulnerability to specially crafted input files.