Docker: don't run as root user #2917
Conversation
|
Isn't this going to break all existing deployments? |
|
yes, and that's why it is v6 and we need to add instructions on how to upgrade. I can't get it to fail on my laptop though |
gerardsn
force-pushed
the
feature/dont-run-container-as-root
branch
7 times, most recently
from
e22423d
to
dbd72ce
Compare
gerardsn
force-pushed
the
feature/dont-run-container-as-root
branch
2 times, most recently
from
47d4fe3
to
229aa56
Compare
gerardsn
force-pushed
the
feature/dont-run-container-as-root
branch
from
229aa56
to
78cc6aa
Compare
| If you already use Docker, the easiest way to get your Nuts Node up and running for development or production is | ||
| using Docker. This guide helps you to configure the Nuts node in Docker. | ||
| To use the most recent release use ``nutsfoundation/nuts-node:latest``. For production environments it's advised to use a specific version. | ||
|
|
There was a problem hiding this comment.
can we start with the most important part when people start with Nuts, which is i.m.o. the Docker run and docker compose examples?
Then probably the dev image, and user/mount stuff
There was a problem hiding this comment.
reordered some stuff, does this work?
| ******************* | ||
|
|
||
| **Release date:** TBD | ||
| **Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.0.0...master | ||
| **Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.0.0...v6.0.0 |
There was a problem hiding this comment.
it still takes you to a page where you can manually set a different target. I'd rather set this correct now so we don't forget to change it on release.
| @@ -8,6 +8,8 @@ | |||
| - The `run-test.sh` of each test should be added to the respective group's `/<test-group>/run-tests.sh` script. | |||
| - All `/<test-group>/run-tests.sh` should be added to `/run-tests.sh` | |||
|
|
|||
| If the `datadir` needs to be mounted for a test, add `USER=$UID` to the top of the test's `run-test.sh`, and add `user: "$USER:$USER"` to each service in the `docker-compose.yml` that mounts a `datadir`. | |||
There was a problem hiding this comment.
are $UID and $USER always available?
There was a problem hiding this comment.
In the environment that we use for the e2e-test (and on macOS): yes
$USER is should be set in the run-test.sh script, so that is available as long as $UID is available. AFAIK UID is always available. USER might not be the best choice since some systems control this env variable, but for the e2e-tests this is not an issue.
docs/pages/deployment/docker.rst
Outdated
| using Docker. This guide helps you to configure the Nuts node in Docker. | ||
| To use the most recent release use ``nutsfoundation/nuts-node:latest``. For production environments it's advised to use a specific version. | ||
|
|
||
| User |
There was a problem hiding this comment.
Also refer to docker documentation to use a different user?
There was a problem hiding this comment.
The only documentation I can find has a different angle on managing users, so I added a note on L45:
- *"User 18081 already exists on my host."* See `docker security <https://docs.docker.com/engine/security/userns-remap/>`_ (or relevant container orchestration platform) documentation how to restrict privileges to a user namespace / create a user mapping between host and container.
|
Should the dev-container have the same user? consistency makes for better development, but fixing permission issues every time will be annoying. |
|
Fixed issue introduced by this PR: |
* run docker as non-root user * add documentation * move docker.rst to deployment * update docs * Add release note * set default config directories * fix e2e-tests * fix private transacitons test * update e2e-tests readme * pr feedback * reorder sections in docker.rst * fix mutual exclusive config values combination with defaults * pr feedback
* master: (21 commits) IAM: Remove OpenID4VP PoC code (#3022) Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#3021) VDR: Support root did:web DIDs (#2900) extended policy mapping for user/organization (#2977) IAM: fix loading of server state (#3011) Bump github.com/nats-io/nats.go from 1.34.0 to 1.34.1 (#3018) Bump github.com/prometheus/client_model from 0.6.0 to 0.6.1 (#3017) Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#3016) Update golang.org/x/net@v0.23.0 (#3014) Ignore allowUntrustedIssuer for did:web and clarify 'revocation' in vcr/search (#2992) document liveness and readiness probes (#2982) IAM: Allow user details to be passed in requestUserAccessToken (#2990) Policy: allow multiple policy files in local PDP (#3010) Bump github.com/amacneil/dbmate/v2 from 2.13.0 to 2.14.0 (#2999) Docker: don't run as root user (#2917) Add missing copyright notices (#3000) Set SQL logging to TRACE instead of DEBUG (#3002) fix invalid swagger (#2988) add credentialStatus to common ssi_types (#2989) Auth: IAM client should not use PKI TLS config (#2998) ...
… to changes from: "Docker: don't run as root user (#2917)" Security settings for the nuts-node have been updated in the values.yaml file. The fsGroup value under podSecurityContext has been changed to 18081 and the runAsUser and runAsGroup have been added under securityContext, both set to 18081.
closes #1779
In this PR:
18081/nuts./config/...which is relative to the working directorydatadirvolume mount is removed if not neededIn a followup PR I will fix all default paths in the e2e-tests to cleanup a bit
TODO: