-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change images to run as non-root user by default #45
Closed
Commits on Oct 20, 2022
-
Support running as a non-root user
Currently the container images is running as root user as follows. And it is recommended to run as non-root user for the security purpose. In fact, following log will be seen at the startup time of Spring Boot. ```text 2022-10-20 17:32:02.045 INFO 1 --- [ main] com.yoshio3.HelloSampleApplication : Starting HelloSampleApplication v0.0.1-SNAPSHOT using Java 17.0.4.1 on 7446eed214e7 with PID 1 (/app/app.jar started by root in /app) ``` If we use this fix, the application will run as non-root user ("javauser") by default like follows. ```text 2022-10-20 17:30:28.103 INFO 1 --- [ main] com.yoshio3.HelloSampleApplication : Starting HelloSampleApplication v0.0.1-SNAPSHOT using Java 17.0.4.1 on 9a2adf159e03 with PID 1 (/app/app.jar started by javauser in /app) ``` In order to run the container more secure, this pull request will be useful. And if this pull request is not included, every user need to write look like following Dockerfile to run as non-root user ```Dockerfile ################################################################## # Stage 1: Create User and Group ################################################################## FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 AS CREATE-DEPENDS-FILES RUN mkdir /staging \ && mkdir /staging/etc \ && tdnf install -y --releasever=2.0 shadow-utils \ && groupadd --system -g 101 java-app \ && useradd -u 101 -g java-app --shell /bin/false --home-dir /dev/null --system javausers \ && tdnf clean all \ # Copy user/group info to staging && cp /etc/passwd /staging/etc/passwd \ && cp /etc/group /staging/etc/group ################################################################## # Stage 2: Create User and Group ################################################################## FROM mcr.microsoft.com/openjdk/jdk:17-distroless COPY --from=CREATE-DEPENDS-FILES /staging/ / USER javauser WORKDIR /app ENV LANG='ja_JP.UTF-8' LANGUAGE='ja_JP:ja' LC_ALL='ja_JP.UTF-8' ENV TZ='Asia/Tokyo' ENV JAVA_HOME=/app COPY ./target/hello-sample-0.0.1-SNAPSHOT.jar app.jar ENTRYPOINT ["java","-Xmx1g","-XX:+UseParallelGC","-XX:MaxRAMPercentage=75","-jar","/app/app.jar"] EXPOSE 8080 ```
Configuration menu - View commit details
-
Copy full SHA for aec234a - Browse repository at this point
Copy the full SHA aec234aView commit details
Commits on Oct 21, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 36c9974 - Browse repository at this point
Copy the full SHA 36c9974View commit details -
Modified for the invalid reference format of FROM BASE_IMAGE
During the build images in the GitHub Actions, Following error had showed and failed to build the images. ```text Step 1/18 : ARG INSTALLER_IMAGE="mcr.microsoft.com/cbl-mariner/base/core" Step 2/18 : ARG INSTALLER_TAG="2.0" Step 3/18 : ARG BASE_IMAGE="mcr.microsoft.com/cbl-mariner/distroless/base" Step 4/18 : ARG BASE_TAG="2.0" invalid reference format Step 5/18 : FROM ${INSTALLER_IMAGE}:${INSTALLER_TAG} AS installer ```
Configuration menu - View commit details
-
Copy full SHA for 06739f6 - Browse repository at this point
Copy the full SHA 06739f6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 6a80818 - Browse repository at this point
Copy the full SHA 6a80818View commit details -
Revert "Modified for the invalid reference format of FROM BASE_IMAGE"
This reverts commit 06739f6.
Configuration menu - View commit details
-
Copy full SHA for ab110e5 - Browse repository at this point
Copy the full SHA ab110e5View commit details -
Configuration menu - View commit details
-
Copy full SHA for 676641a - Browse repository at this point
Copy the full SHA 676641aView commit details
Commits on Oct 25, 2022
-
In some situation, UID 101 may be used. In order to prevent conflicts. I changed the UID.
Configuration menu - View commit details
-
Copy full SHA for aca1446 - Browse repository at this point
Copy the full SHA aca1446View commit details -
Added a directory(/app) which owned by javauser
After applied this pull request, the application will run as "javauser". However there is no directory which has "write permission". If one Java Application try to write some file in the deployment directory, it will fail. Because it is owned by root user. So in order write some file from the application, I added a default directory which owned by the "javauser" So if user deployment their application under the "/app" directory. The application will run without problem. If the user uses the Mariner core image, then there is "chown" command in the container images. So user can create any directory and can change the owner. However "the distress image" doesn't have the "chown" command on the image nor shell. So we should mentioned the restriction for "distress image" users. For example, following explanation will be needed. ``` COPY --chown=2000:2000 artifact.jar /app/ ```
Configuration menu - View commit details
-
Copy full SHA for 3cc6123 - Browse repository at this point
Copy the full SHA 3cc6123View commit details
Commits on Nov 28, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 149d2d0 - Browse repository at this point
Copy the full SHA 149d2d0View commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.