[Bug]: Distroless docker container is unable to use unix domain socket.

oauth2-proxy / oauth2-proxy

A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.

https://oauth2-proxy.github.io/oauth2-proxy

MIT License

9.9k stars 1.6k forks source link

[Bug]: Distroless docker container is unable to use unix domain socket. #2557

Open simeoncran opened 8 months ago

simeoncran commented 8 months ago

OAuth2-Proxy Version

7.6.0

Provider

google

Expected Behaviour

Distroless and Alpine containers should work the same with regard to using a unix domain socket.

Current Behaviour

Distroless container fails because the unix domain socket does not get created. This results in a message about failing to bind to the socket (exact message depends on user permissions).

Steps To Reproduce

Create a docker container using the quay.io/oauth2-proxy/oauth2-proxy:latest image and specify a unix domain socket with "OAUTH2_PROXY_HTTP_ADDRESS=unix://my_sockets/oauth2_proxy.sock"

Possible Solutions

If you use the quay.io/oauth2-proxy/oauth2-proxy:latest-alpine image it works as expected: the socket is created. It seems that go's net.Listen("unix", ...) depends on something that is missing in distroless. Start here: https://github.com/oauth2-proxy/oauth2-proxy/blob/5a058471861260533160ef26c5093ff34a976f45/pkg/http/server.go#L75

Configuration details or additional information

No response

tuunit commented 8 months ago

The distroless image runs as a nonroot user. You are not allowed to create files on the root level of the filesystem. Could you try:

OAUTH2_PROXY_HTTP_ADDRESS=unix://tmp/oauth2_proxy.sock

simeoncran commented 8 months ago

Hi Jan,

They're already not being created at the root of the filesystem. Here's what the permissions look like for the unix socket on the alpine version:

unix://my_sockets/oauth2_proxy.sock

ls -ld /my_sockets
drwxrwxrwt    2 root     root            80 Mar 28 06:44 my_sockets
ls -l /my_sockets
srwxr-xr-x    1 xfs      xfs              0 Mar 28 06:44 oauth2_proxy.sock

The socket is created with uid:gid 33:33 (xfs:xfs) because I'm setting USER 33:33 in the Dockerfile to run oauth2-proxy as 33 so that it's the same user that my NginX is running as. The NginX and oauth2_proxy processes need to be running with the same uid so they can share the socket.

The /my_sockets directory is created in my docker-compose.yaml with:

volumes:
  my_sockets:
    driver_opts:
      type: tmpfs
      device: tmpfs

github-actions[bot] commented 6 months ago

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

simeoncran commented 6 months ago

Adding a comment to prevent GitHub from auto closing the issue. The issue has not been addressed.

github-actions[bot] commented 4 months ago

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

github-actions[bot] commented 1 month ago

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.