DockerFile with privileges erroneus

strongloop / strong-pm

deployer for node applications

http://strong-pm.io

Other

1k stars 71 forks source link

DockerFile with privileges erroneus #388

Closed masalinas closed 7 years ago

masalinas commented 7 years ago

I checked your last dockerfile to instance a docker container with strong-pm running inside. I observed that you change the owner of the /usr/local directory to strong-pm user to installed the process, but Why do you do that??. I think that the correct way to install strong-pm is under root the natural way and later you could start the process under strong-pm with any problem because the directory have read permissions for all users

This is your code

RUN useradd -ms /bin/bash strong-pm \
    && chown -R strong-pm:strong-pm /usr/local \
    && su strong-pm -c "npm install -g strong-pm && npm cache clear"

This is the code recomended by me:

RUN useradd -ms /bin/bash strong-pm \
    && su -c "npm install -g --unsafe-perm strong-pm && npm cache clear"

sam-github commented 7 years ago

@rmg can comment more on his choices with the dockerfile, but

read permissions for all users

you do realize that strong-pm needs write access?

Also, why are you using strong-pm in docker? We supply it, because some people find it a convenient way to run and try strong-pm out, but strong-supervisor is a much better fit for docker.

strong-pm adds remote deploy capabilities, but since docker systems support this themselves, its not a great fit with docker.

rmg commented 7 years ago

The use of chown -R strong-pm:strong-pm /usr/local && su strong-pm -c ".." serves two purposes:

it seemed better protection to me to allow npm to write to /usr/local/* (only) instead of disabling all of npm's privilege separation with --unsafe-perms
It is done using su in the RUN layer instead of doing a second RUN after USER strong-pm in order to reduce layers.

That said, these Dockerfiles were last touched over a year ago and their origins date back to over 2 years ago. This is a long time in the world of Docker best practices!

@masalinas if you are actually using the strongloop/strong-pm image that gets published to Docker Hub and you feel strongly about this change then please feel free to submit a pull request for it.

masalinas commented 7 years ago

@sam-github Actually we are using docker with this infraestructure inside one container:

strong-pm to control: node-red gateway integration and our loopback solution.
mosquitto to implement the mqtt message protocol integration pattern.
vsftpd FTP server to implement share folder integration pattern.

We use several volumes attached to the container to persist logs, flows repository and ftp integration messages and mongodb compose to persist any business data

All this services controlled by supervisor under IBM Bluemix.

sam-github commented 7 years ago

@masalinas you don't use arc, though, right? I would suggest looking at strong-supervisor, it is simpler, and might do everything you want.