-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker: don't run as root user #2917
Conversation
Isn't this going to break all existing deployments? |
yes, and that's why it is v6 and we need to add instructions on how to upgrade. I can't get it to fail on my laptop though |
e22423d
to
dbd72ce
Compare
47d4fe3
to
229aa56
Compare
229aa56
to
78cc6aa
Compare
If you already use Docker, the easiest way to get your Nuts Node up and running for development or production is | ||
using Docker. This guide helps you to configure the Nuts node in Docker. | ||
To use the most recent release use ``nutsfoundation/nuts-node:latest``. For production environments it's advised to use a specific version. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we start with the most important part when people start with Nuts, which is i.m.o. the Docker run and docker compose examples?
Then probably the dev image, and user/mount stuff
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reordered some stuff, does this work?
******************* | ||
|
||
**Release date:** TBD | ||
**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.0.0...master | ||
**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.0.0...v6.0.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no v6.0.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it still takes you to a page where you can manually set a different target. I'd rather set this correct now so we don't forget to change it on release.
@@ -8,6 +8,8 @@ | |||
- The `run-test.sh` of each test should be added to the respective group's `/<test-group>/run-tests.sh` script. | |||
- All `/<test-group>/run-tests.sh` should be added to `/run-tests.sh` | |||
|
|||
If the `datadir` needs to be mounted for a test, add `USER=$UID` to the top of the test's `run-test.sh`, and add `user: "$USER:$USER"` to each service in the `docker-compose.yml` that mounts a `datadir`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are $UID
and $USER
always available?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the environment that we use for the e2e-test (and on macOS): yes
$USER
is should be set in the run-test.sh
script, so that is available as long as $UID is available. AFAIK UID is always available. USER might not be the best choice since some systems control this env variable, but for the e2e-tests this is not an issue.
docs/pages/deployment/docker.rst
Outdated
using Docker. This guide helps you to configure the Nuts node in Docker. | ||
To use the most recent release use ``nutsfoundation/nuts-node:latest``. For production environments it's advised to use a specific version. | ||
|
||
User |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also refer to docker documentation to use a different user?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only documentation I can find has a different angle on managing users, so I added a note on L45:
- *"User 18081 already exists on my host."* See `docker security <https://docs.docker.com/engine/security/userns-remap/>`_ (or relevant container orchestration platform) documentation how to restrict privileges to a user namespace / create a user mapping between host and container.
Should the dev-container have the same user? consistency makes for better development, but fixing permission issues every time will be annoying. |
Fixed issue introduced by this PR: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Functional changes approved, but I find the documentation too complicated (we're in the risk of getting too much of it, again)
* run docker as non-root user * add documentation * move docker.rst to deployment * update docs * Add release note * set default config directories * fix e2e-tests * fix private transacitons test * update e2e-tests readme * pr feedback * reorder sections in docker.rst * fix mutual exclusive config values combination with defaults * pr feedback
* master: (21 commits) IAM: Remove OpenID4VP PoC code (#3022) Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#3021) VDR: Support root did:web DIDs (#2900) extended policy mapping for user/organization (#2977) IAM: fix loading of server state (#3011) Bump github.com/nats-io/nats.go from 1.34.0 to 1.34.1 (#3018) Bump github.com/prometheus/client_model from 0.6.0 to 0.6.1 (#3017) Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#3016) Update golang.org/x/net@v0.23.0 (#3014) Ignore allowUntrustedIssuer for did:web and clarify 'revocation' in vcr/search (#2992) document liveness and readiness probes (#2982) IAM: Allow user details to be passed in requestUserAccessToken (#2990) Policy: allow multiple policy files in local PDP (#3010) Bump github.com/amacneil/dbmate/v2 from 2.13.0 to 2.14.0 (#2999) Docker: don't run as root user (#2917) Add missing copyright notices (#3000) Set SQL logging to TRACE instead of DEBUG (#3002) fix invalid swagger (#2988) add credentialStatus to common ssi_types (#2989) Auth: IAM client should not use PKI TLS config (#2998) ...
… to changes from: "Docker: don't run as root user (#2917)" Security settings for the nuts-node have been updated in the values.yaml file. The fsGroup value under podSecurityContext has been changed to 18081 and the runAsUser and runAsGroup have been added under securityContext, both set to 18081.
closes #1779
In this PR:
18081
/nuts
./config/...
which is relative to the working directorydatadir
volume mount is removed if not neededIn a followup PR I will fix all default paths in the e2e-tests to cleanup a bit
TODO: