Open christopherscholz opened 1 year ago
hey @christopherscholz are you working on this issue?
Hey @christopherscholz ,
Thank you for the Docker epic upgrades, much appreciated. Do you plan on moving on with the non-root improvement yourself ?
The issue was raised on my side, preventing me from using mage anymore for production @dy46 : any way the team could handle this ?
If all else fails, I could maybe look into it but I don't know much about permissions
Added the doc for building custom docker image to run Mage as non-root users: https://docs.mage.ai/production/custom-docker-image/non-root-user
Is your feature request related to a problem? Please describe.
Currently the Image is not set up for running it as non-root user. Many things have to be changed for it to be possible.
It is best practice to run any container as non-root in production. This is to
There is a good article about it by bitnami.
But there are some use cases, which limit the possible options
Describe the solution you'd like
General
USER 1001
docker run --cap-drop=all
Python
Others
(chmod) class for this virtual env This is important to allow users adding new packages, but not change mage base packagesR
Others
(chmod) class for the additional paths This is important to allow users adding additional packages, but not change mage base packages (pacman, renv)Using an anonymous user without home or name allows us to overwrite in kubernetes security context, docker run or docker compose definition. Developers can still use root user for their local development.
Describe alternatives you've considered
Setting up the non-root user as a user with home and name
Setting
uid
as argument for the build and set up the non-root user as a user with home and nameAdditional context
This must not break previous deployments. This is part of the mage roadmap. This is replacement for unfinished #2064 Slack conversation regarding implementation details. cc: @wangxiaoyou1993