golem
golem copied to clipboard
Non-privileged user in Dockerfile
I have been using and modifying the Dockerfiles generated by {golem}. The system and R dependencies are a great help and I had to modify very little, thanks for this great tool.
But I noticed that all options (the plain Dockerfile, and the ones for ShinyProxy and Heroku) use thr rocker/r-ver
parent images that is based on ubuntu:focal
. All these leave the USER
as root
which is generally discouraged due to security considerations, there is even a Hadolint warning for this.
I am wondering if it would be possible to add a user
argument to the golem::add_dockerfile*
functions?
This would be straightforward for ShinyProxy:
# ShinyProxy
...
RUN addgroup --system shiny && adduser --system --ingroup shiny shiny
USER shiny
EXPOSE 3838
CMD ["R", "-e", "options('shiny.port'=3838,shiny.host='0.0.0.0');ShinyWBI::run_app()"]
and on Heroku:
# Heroku
...
RUN addgroup --system shiny && adduser --system --ingroup shiny shiny
USER shiny
CMD R -e "options('shiny.port'=$PORT,shiny.host='0.0.0.0');ShinyWBI::run_app()"
The catch for the plain Dockerfile is that it exposes port 80 that is a low port not available for non-privileged users, so the port would have to be changed to e.g. 8080:
...
RUN addgroup --system shiny && adduser --system --ingroup shiny shiny
USER shiny
EXPOSE 8080
CMD R -e "options('shiny.port'=8080,shiny.host='0.0.0.0');ShinyWBI::run_app()"
I am happy to work on a PR if this suggestion makes sense.
HI,
thanks a lot.
I'm working on a new way to create Dockerfile (based on renv), you may want to do a PR on the branch https://github.com/ThinkR-open/golem/tree/renv_wip too :)
and I'd love to hear your opinion on the add_dockerfile_with_renv_* functions
hi @psolymos we just release the 0.3.3 golem version this include some renv based dockerfile creation see https://github.com/ThinkR-open/golem/blob/master/R/add_dockerfiles_renv.R
I missed the opportunity to implement your request, which seems relevant to me.
Would you like to take care of the PR that corrects this?
I wonder if this should be dealt with in {dockerfiler} directly, or here?
Thanks for the update. I imagine that a user = NULL
argument can be added (in {golem} or {dockerfiler}). When not NULL
, we'd add the RUN addgroup ...
and the USER
instructions. (For the sake of completeness I mention that one needs a WORKDIR
instruction when using shiny::runApp()
, but here you are not tied to a directory due to using package::run_app()
.)