avalanchego icon indicating copy to clipboard operation
avalanchego copied to clipboard

Published 20 hours ago verified publisher icon ava-labs

make Dockerfile use normal user insted of root

Open eino-makitalo opened this issue 3 years ago • 2 comments

Please go through this checklist and check the item relevant, delete unrelevant ones and provide related links

  • [ ] Does this PR change a config flag?

    • PR for docs under https://github.com/ava-labs/avalanche-docs/pulls
    • PR for Avash under https://github.com/ava-labs/avash/pulls
    • PR for AvalancheJS under https://github.com/ava-labs/avalanchejs/pulls

  • [ ] Does this PR change a Prometheus metric?

    • PR for docs (for Granfana) under https://github.com/ava-labs/avalanche-docs/pulls

  • [ ] Does this PR change an API?

    • PR for docs under https://github.com/ava-labs/avalanche-docs/pulls
    • PR for AvalancheJS under https://github.com/ava-labs/avalanchejs/pulls

  • [ ] Is this change backward compatible with the previous version of AvalancheGo?

  • [ ] Does this PR change where AvalancheGo looks for/puts files?

  • [ ] Does this PR change the serialization of anything?

  • [ ] Does this PR require a network upgrade?

  • [ ] Does this PR require a database upgrade?

  • [ ] Does this PR change any P2P message types?

  • [ ] If this PR is a release, do the release notes reflect all the changes above?

  • If you have other related issues/tickets, please link them here Not highest priority, but you should avoid using root user inside dockerfile.

Medium article

eino-makitalo avatar Aug 25 '21 05:08 eino-makitalo

Duplicate of #878

Hi @eino-makitalo and thanks for your contribution.

Currently, you are able to set the database directory with AVAGO_DB_DIR environment variable. The same goes for the log directory (AVAGO_LOG_DIR). Refs: https://github.com/ava-labs/avalanchego/blob/master/config/keys.go#L25 https://github.com/ava-labs/avalanchego/blob/master/config/keys.go#L71 https://github.com/ava-labs/avalanchego/blob/master/config/viper.go#L28-L30

As for the change, we may want to avoid hardcoding exact userid in the container. For instance, a user with 1001 id may already be present on the host machine and can suddenly become a database file owner.

If you want to run a container with the specific userid/groupid, please consider doing it at the runtime. Ref: https://docs.docker.com/engine/reference/run/#user

Alternatively, if you are using a host machine for Avalanche workloads exclusively, you may try to run a docker daemon in rootless mode, binding all the docker workloads to a specific user by default. Ref: https://docs.docker.com/engine/security/rootless/

yevhenvolchenko avatar Sep 20 '21 15:09 yevhenvolchenko

Any progress on this one, really needed here as well. Otherwise we will have to maintain our own image, which is painful.

ianhe8x avatar Jun 22 '22 05:06 ianhe8x