-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a way to lock ENTRYPOINT #18799
Comments
I'm -1 on this; users of an image should be able to use that image in any way they want. Overriding an entrypoint is not something that's easily done "by accident" (you'd have to explicitly provide the Also, this wouldn't prevent users from using the image as However, I can see organizations where you don't want users to override entrypoints. With the "Authz" plugins feature, that will be part of 1.10, it would be possible to deny users to override entrypoints, depending on their role; #15365 |
@thaJeztah are you -1 as a user, or as image author? As a user, I understand, but this is a feature for image authors. Image authors already decide what goes inside the image they are building. How is it a negative thing to empower them with the right to decide how their images must be executed? Besides, it is a request for an optional parameter image authors may or may not use. If a power user wants to complain for some reason, the user contacts the image author. Now, in my first comment, if you had read it through, I do mention that such feature must guarantee that inherited images may define their own ENTRYPOINTS, but the entry point of the FROM image must be performed. This raises question tough on how to also lock some files/folders in a way that inherited images can't modify these with some RUN command. Which brings us to issue #18812. This is an important feature for image authors. |
Well, I'm looking for a use case; point is that IMO this should be a documentation issue ("how to use this image"). If the thought here is to implement a "copy protection" system, I'm just not sure this would work. Users can compile their own version of docker that ignores the "don't override" part, or simply export the image, modify the layers, and import the image again. Just my 0.02c, others may think differently. |
As an image author, I use sensible defaults in my environment variables so that it works for them out-of-the-box without the user needing to decide on how their image must be executed. When you look at the documentation for official images, it is all centered around using ENV variables at deploy-time to allow images to be customised in a supported way and to provide the contract between the image author and the user. The use case isn't clear to me but I could also be missing something. Is it possible to provide an example scenario where having this feature could add value for the user? If it's just about the image author then I would put a -1 on this as well. That's only because in my own experience I've never had a problem with someone being upset with my image because they stepped off the beaten track and tried to override the ENTRYPOINT and it broke things. I'm not saying that doesn't happen but it seems to be an extreme edge case, at least in my experience. |
I'm -1 on this, same as @thaJeztah said, as a user and as image author. I'm also looking for a use case, and I feel that "Authz" will cover most of this. In the end, the image is just a
For me it sounds like asking Linux distribution builder (debian/redhad/…) "that already decide what goes inside the distribution they are building", that they should be able to decide how their distribution must be executed (locking down the user) — but well, if you are root on the machine you can pretty much messing it up and doing whatever you want. That's the beauty of it so I really don't see the point. I feel the same about that it is a documentation issue on "how to use this image" ("This image is intended to be used like that […]."). You can provides default sane behavior and a good documentation on how to run the image and how to configure/custom the runtime (i.e. container), but locking down user, it should be separate from the image (by engine/cluster) — hence the "Authz" stuff. Docker is almost all about separation of concern after all. |
It looks like there is an agreement among maintainers. I'm sorry but we're not going to implement this. Thanks for taking your time to write it. It's always good to hear from the community. |
Unless I missed something, it is not possible to create an image and lock down ENTRYPOINT. With the following command, a user can bypass any instruction that may be required by the image to be performed in order to properly execute:
It must be possible for an image author to define and lock an entrypoint to make sure a given image is executed by only calling that entrypoint definition and whatever operations that call allows.
It is also important to ensure that the ENTRYPOINT of an image is always called, either when creating a new container out of this image, or of an extended image. To verify this use case, I created this Test Scenario. Run the script test.sh.
Here's the output:
The text was updated successfully, but these errors were encountered: