agent icon indicating copy to clipboard operation
agent copied to clipboard
verified publisher icon buildkite

Run docker container as non-root

Open jradtilbrook opened this issue 6 years ago • 10 comments

The docker image (alpine and ubuntu) runs as the root user by default which is a security risk. Would you consider changing to a less privileged user?

jradtilbrook avatar Jun 08 '19 02:06 jradtilbrook

Can you tell us a bit more about the context you are using the image in where you consider it a security risk?

It’s certainly something we’d consider, it just makes orchestration a lot more complicated, especially for docker with user namespacing enabled (which I’d consider the stronger security if I had to choose)

On 8 Jun 2019, at 12:46 pm, Jarryd Tilbrook [email protected] wrote:

The docker image (alpine and ubuntu) runs as the root user by default which is a security risk. Would you consider changing to a less privileged user?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

lox avatar Jun 08 '19 03:06 lox

Sure! I'm using the Buildkite Helm chart to deploy an agent inside a Kubernetes cluster and using that agent to perform deploys of services inside the cluster using Helm. So I'm actually baking more binaries into the docker image and can change the user from there as well.

So the main reasoning is I just don't want any container running as root in the cluster. Especially since my use case doesn't mount the docker socket from the host and all pipeline commands are run directly from the agents' pod.

Since I'm extending the image anyway it's not necessary for my use case but thought it might be useful for others if it was the default.

Let me know what you think or if you need more info.

jradtilbrook avatar Jun 08 '19 03:06 jradtilbrook

Related: https://github.com/buildkite/docker-buildkite-agent/pull/18

toolmantim avatar Jun 08 '19 03:06 toolmantim

And https://github.com/buildkite/docker-buildkite-agent/pull/38

toolmantim avatar Jun 08 '19 03:06 toolmantim

So the main reasoning is I just don't want any container running as root in the cluster.

Why is that @jradtilbrook?

lox avatar Jun 08 '19 03:06 lox

Oh thanks for posting those, I didn't think to look at the archived repo for existing issues.

Basically to add another layer of security. In case of an attack, the root user could install new packages to assist in an attack to expose other services etc within the cluster. So I just want to run the buildkite-agent binary and other binaries with a least-privilege user to reduce those risks.

jradtilbrook avatar Jun 08 '19 03:06 jradtilbrook

Thanks, that is good context. Makes sense! It's something we'll likely consider at some point in the future. Have been hoping Docker would fix a few more bugs around user namespacing first.

lox avatar Jun 08 '19 03:06 lox

No worries!

jradtilbrook avatar Jun 08 '19 03:06 jradtilbrook

Another thing: if you need to run elasticsearch, for, say, integration tests, it won't start as root.

There may be other software with the same issues though.

caarlos0 avatar Dec 12 '19 18:12 caarlos0