countly-server icon indicating copy to clipboard operation
countly-server copied to clipboard

Published 20 hours ago verified publisher icon Countly

Run countly with non-root in docker

Open sapkra opened this issue 5 years ago • 9 comments

For security reason our cluster is configured to run the docker container with random UIDs.

When I use this image everything breaks because of many permission problems. It starts with the base image which tries to access a file which is only accessible for the docker deamon.

I would appreciate to have this docker image follow the cloud native best practices and have the core image also published on Docker Hub.

sapkra avatar Jun 03 '19 11:06 sapkra

Thanks for the input @sapkra Which file it tries to access?

iartem avatar Jun 03 '19 13:06 iartem

This is the first problem. But I've already tried to rebuild the image on another base image but all the scripts are relying on the root user. There is a lot which has to be refactored. I gave up and decided to open this issue. This is not my code and it's a bit hard to understand everything and I think for the countly team it's a lot easier to fix.

A few information about my environment: I'm running OpenShift, which you can use for free. To test it I can recommend minishift. Port 80 is also not allowed to use but for a kubernetes cluster you should use an container which only runs the application without any proxy and opens port 3001 and 6001.

This is the output when I just try to start the container.

*** Killing all processes...
--
  | Traceback (most recent call last):
  | File "/sbin/my_init", line 334, in <module>
  | main(args)
  | File "/sbin/my_init", line 252, in main
  | import_envvars(False, False)
  | File "/sbin/my_init", line 61, in import_envvars
  | for envfile in listdir("/etc/container_environment"):
  | File "/sbin/my_init", line 49, in listdir
  | return sorted(os.listdir(path))
  | PermissionError: [Errno 13] Permission denied: '/etc/container_environment'

sapkra avatar Jun 03 '19 13:06 sapkra

Ok, it seems this would solve the issue for you. That's more of a baseimage issue.

Regarding root, for a number of reasons (rather obvious I guess) install script has to have root access. The container itself runs things under respective users: countly in case of API & Frontend processes, mongodb for mongodb & root for nginx. Taking nginx out of the image would be fairly easy by modifying our install scripts with some ifs with some environment variables. PR is welcome!

iartem avatar Jun 03 '19 14:06 iartem

I don't wanted to do that because I have my database password in the environment variables and I think this is a sensitive information. In the documentation of the base image it's documented that you shouldn't do it when you have sensitive information in your env vars.

I had to use different permissions to get it working:

RUN chmod -R 775 /etc/container_environment
RUN chmod 777 /etc/container_environment.sh /etc/container_environment.json

But I did it to show you the next problem.

runsv sshd: fatal: unable to open supervise/lock: file does not exist
runsv cron: fatal: unable to open supervise/lock: file does not exist
runsv syslog-forwarder: fatal: unable to open supervise/lock: file does not exist
runsv syslog-ng: fatal: unable to open supervise/lock: file does not exist
runsv mongodb: fatal: unable to open supervise/lock: file does not exist
runsv nginx: fatal: unable to open supervise/lock: file does not exist
runsv countly-dashboard: fatal: unable to open supervise/lock: file does not exist
runsv countly-api: fatal: unable to open supervise/lock: file does not exist
runsv syslog-ng: fatal: unable to open supervise/lock: file does not exist
runsv syslog-forwarder: fatal: unable to open supervise/lock: file does not exist

To fix this I had to add this line:

RUN chmod -R 775 /etc/service

Ok, next error... I fixed a few but I gave up again while getting the following.

 mknod: ‘/dev/xconsole’: Permission denied
 Traceback (most recent call last):
 File "/sbin/setuser", line 17, in <module>
 os.initgroups(username, user.pw_gid)
 PermissionError: [Errno 1] Operation not permitted
 seteuid: Operation not permitted

This error is also from the base image and an open issue. I would recommend to switch the base image (maybe to a smaller one - the image size should be definitely decreased because 1GB is a bit crazy). I will try to fix everything and open a PR - hopefully this month.

sapkra avatar Jun 03 '19 23:06 sapkra

Yes, we'll look into either updating base image or switching to something else in the future. Let's keep this one open.

iartem avatar Jun 04 '19 07:06 iartem

I've created an PR. #923

sapkra avatar Jun 10 '19 07:06 sapkra

mongodb for mongodb & root for nginx

Root isn't a requirement for nginx. Most of the properly maintained Docker images are using non privileged ports (because people should map the "outside" port anyway) and won't require root. Also shouldn't the MongoDB-less Docker image be the default? IMHO the idea of Docker is to modularize everything so that app and database can be easily be maintained separately for example.

PS: thank you for your work on Countly :raised_hands: PPS: what does it mean that Docker images are just for evaluation only? Is this because of licensing or technical reasons?

alexanderadam avatar Jun 18 '19 08:06 alexanderadam

PPS: what does it mean that Docker images are just for evaluation only? Is this because of licensing or technical reasons?

It's because having mongo + nginx + 2x node.js in one container is a non-production approach :) Hopefully, we'll get some k8s reference design done after next release. No dates yet, though.

iartem avatar Jun 18 '19 10:06 iartem

I think this is done @iartem ?

ar2rsawseen avatar Oct 23 '20 18:10 ar2rsawseen