Security issue: node is run as root #1
Comments
|
Thanks, we'll look at ways to address this in a future release. |
|
If you come up with a good way to actually solve this nicely at the language stack level, please share so we can make sure all the stacks get updated. We've been trying to think through this problem for a while, and there's not really an easy "works for everyone" way to do this without knowing the specifics of the application being Dockerized (in our experience). TL;DR this might be more of a docs problem (ie, update the documentation to show best practices for running your application as non-root) |
|
Sure :) For now though, you are right, it really is a docs problem |
|
Thanks for answers. |
|
Closing this out, since it's more of a Docs/best practice issue at this point. |
|
|
|
What about needing to bind to port 80 or other similar scenarios? |
|
As Docker can handle binding container port to host port, it should not be an issue ? (We should be able to bind the 8080 port on the container to the 80 port on the host) |
|
True, but I guess that means possibly breaking things for anyone using the current image, right? |
|
Yes this will be a breaking change... |
|
Isn't the port to bind on specified in the application itself?
|
|
"Isn't the port to bind on specified in the application itself?" |
|
Right, but what I mean is that the application source code itself specifies
the port that it wants to bind to by default (be it 8080, 9000, 80, etc).
This is why our original "onbuild" variant didn't include an "EXPOSE"
instruction -- we can't really know which port the image user's application
is going to be listening on ahead of time in a simple, generic way.
|
|
Yes of course. It's fine to let the application binding the port it wants to. |
|
Docker's official stance on this seems clear to me:
We're not in compliance. If someone wants to run the Node process as root (e.g., to bind to port 80), then the burden should be on them to write a custom Dockerfile. |
|
This isn't the Dockerfile for a "service", but a base Dockerfile for services, some of which may be able to run as root and some of which won't. I personally the consider the part after what @NodeGuy quoted just as important in determining whether a Docker image should use
For a base image like Just my two cents on why changing to |
|
I agree with your point @md5 but currently most of the application using the base image as run as root although there are no need. https://github.com/search?utf8=%E2%9C%93&q=FROM+node%3A0.10-onbuild&type=Code&ref=searchresults |
|
Agree that doing the right thing by default would be really nice. |
|
Documentation landed in #122 |
In case of security flaw in the application run and in docker.
cf:
http://blog.zeltser.com/post/104976675349/security-risks-and-benefits-of-docker-application
http://thenewstack.io/docker-addresses-more-security-issues-and-outlines-plugin-approach/
http://www.slideshare.net/jpetazzo/docker-linux-containers-lxc-and-security
https://blog.xenproject.org/2014/06/23/the-docker-exploit-and-the-security-of-containers/
The text was updated successfully, but these errors were encountered: