This change drops the root privileges to privilege-escalation attacks
from within the observer node and proxy containers.
In order not to import a third party tool like "GOSU",
ubuntu needed to be upgraded to 20.04.
This provides the setpriv command from the linux-util package,
included by default in the OS.
The best way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users.
I've only changed this in mainnet, because I'm familiar with running and testing it. The other variants, like rosetta and covalent I'm not familiar with and therefore did not want to break anything.
This change drops the root privileges to privilege-escalation attacks from within the observer node and proxy containers.
In order not to import a third party tool like "GOSU", ubuntu needed to be upgraded to 20.04. This provides the setpriv command from the linux-util package, included by default in the OS.
This follows the recommendation from https://docs.docker.com/engine/security/userns-remap/:
I've only changed this in
mainnet, because I'm familiar with running and testing it. The other variants, likerosettaandcovalentI'm not familiar with and therefore did not want to break anything.