Docker container - Enabling Mithril client with 'no-new-privileges'

[adamsthws]

When using the Guild's Docker image and enabling the Mithril client: MITHRIL_DOWNLOAD: Y, if no-new-privileges is enabled, Mithril init fails (see log below).

The script is using sudo when creating the file: /opt/cardano/cnode/mithril/mithril.env, which no-new-privileges is preventing... The directory /opt/cardano/cnode/mithril/ is owned by the user: guild, so it should be able to create the file without elevated privs... Would it be possible to remove the script's sudo requirement here?

Docker compose.yml:

services:
  cardano-relay:
    image: cardanocommunity/cardano-node:10.1.4
    environment:
      MITHRIL_DOWNLOAD: Y # (Y|N) Download latest Mithril snapshot if no db exists
    security_opt:
      - no-new-privileges

Container log:

  _____     _ __   __  ____                    __             

 / ___/_ __(_) /__/ / / __ \___  ___ _______ _/ /____  _______

/ (_ / // / / / _  / / /_/ / _ \/ -_) __/ _ `/ __/ _ \/ __(_-<

\___/\_,_/_/_/\_,_/  \____/ .__/\__/_/  \_,_/\__/\___/_/ /___/

                         /_/ 

                         


NETWORK: preview  /opt/cardano/cnode/files-custom/topology.json

ENTRYPOINT_PROCESS: cnode.sh

NODE: 8653eac6ef31 - Port:6000 - 

cardano-node 10.1.4 - linux-x86_64 - ghc-8.10

git rev 1f63dbf2ab39e0b32bf6901dc203866d3e37de08

Creating /opt/cardano/cnode/mithril/mithril.env...

Info: Setting minimal environment variables supporting only the Mithril client use case.

sudo: The "no new privileges" flag is set, which prevents sudo from running as root.

sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.

sudo: The "no new privileges" flag is set, which prevents sudo from running as root.

sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.

/opt/cardano/cnode/scripts/mithril.library: line 360: /opt/cardano/cnode/mithril/mithril.env: No such file or directory

[rdlrt]

You'd want to pass environment variable SUDO=N on your setup.

[adamsthws]

Ah yes thankyou, that does resolve it.

In what scenario would a container user be using sudo? - Would it make sense to add SUDO=N to the dockerfile_bin ENV to disable sudo by default in the containers?

Happy to make a PR for this if it's favourable?

[TrevorBenson]

In what scenario would a container user be using sudo? - Would it make sense to add SUDO=N to the dockerfile_bin ENV to disable sudo by default in the containers?

This was implemented by the original author of the container, but I don't quite recall the intended purpose for bundling sudo. I suspect it was a workaround to not do docker exec -it --user root <container> bash.

I'm not against including this as an ENV. I don't believe it should break anything with default container usage, but we might want to include this (or all ENV settings) in the docker part of the documentation for clarity.

---

Separately, I don't know of any requirement to include sudo. The containers I built from this repo didn't require them, but after transitioning back to using the ones built here I didn't push to remove sudo. However, unless there is a specific need to have sudo I'd prefer long term we plan to remove it. Especially when the default user has a passwordless access to escalate privileges inside the container which results in almost running the container as root instead of the guild user anyway.

@rdlrt Thoughts?

[rdlrt]

Fixed in #1873