golem icon indicating copy to clipboard operation
golem copied to clipboard

Published 20 hours ago verified publisher icon ThinkR-open

Non-privileged user in Dockerfile

Open psolymos opened this issue 2 years ago • 4 comments

I have been using and modifying the Dockerfiles generated by {golem}. The system and R dependencies are a great help and I had to modify very little, thanks for this great tool.

But I noticed that all options (the plain Dockerfile, and the ones for ShinyProxy and Heroku) use thr rocker/r-ver parent images that is based on ubuntu:focal. All these leave the USER as root which is generally discouraged due to security considerations, there is even a Hadolint warning for this.

I am wondering if it would be possible to add a user argument to the golem::add_dockerfile* functions?

This would be straightforward for ShinyProxy:

# ShinyProxy
...

RUN addgroup --system shiny && adduser --system --ingroup shiny shiny
USER shiny

EXPOSE 3838
CMD  ["R", "-e", "options('shiny.port'=3838,shiny.host='0.0.0.0');ShinyWBI::run_app()"]

and on Heroku:

# Heroku
...

RUN addgroup --system shiny && adduser --system --ingroup shiny shiny
USER shiny
CMD R -e "options('shiny.port'=$PORT,shiny.host='0.0.0.0');ShinyWBI::run_app()"

The catch for the plain Dockerfile is that it exposes port 80 that is a low port not available for non-privileged users, so the port would have to be changed to e.g. 8080:

...
RUN addgroup --system shiny && adduser --system --ingroup shiny shiny
USER shiny
EXPOSE 8080
CMD R -e "options('shiny.port'=8080,shiny.host='0.0.0.0');ShinyWBI::run_app()"

I am happy to work on a PR if this suggestion makes sense.

psolymos avatar Apr 11 '22 01:04 psolymos

HI,

thanks a lot.

I'm working on a new way to create Dockerfile (based on renv), you may want to do a PR on the branch https://github.com/ThinkR-open/golem/tree/renv_wip too :)

and I'd love to hear your opinion on the add_dockerfile_with_renv_* functions

VincentGuyader avatar Apr 11 '22 10:04 VincentGuyader

hi @psolymos we just release the 0.3.3 golem version this include some renv based dockerfile creation see https://github.com/ThinkR-open/golem/blob/master/R/add_dockerfiles_renv.R

I missed the opportunity to implement your request, which seems relevant to me.

Would you like to take care of the PR that corrects this?

VincentGuyader avatar Jul 28 '22 11:07 VincentGuyader

I wonder if this should be dealt with in {dockerfiler} directly, or here?

ColinFay avatar Jul 28 '22 13:07 ColinFay

Thanks for the update. I imagine that a user = NULL argument can be added (in {golem} or {dockerfiler}). When not NULL, we'd add the RUN addgroup ... and the USER instructions. (For the sake of completeness I mention that one needs a WORKDIR instruction when using shiny::runApp(), but here you are not tied to a directory due to using package::run_app().)

psolymos avatar Jul 28 '22 14:07 psolymos