docker-maven icon indicating copy to clipboard operation
docker-maven copied to clipboard

Published 20 hours ago verified publisher icon carlossg

set default user to non-root

Open lkwg82 opened this issue 10 months ago • 7 comments

Runs the container as user different from root for security reasons.

See https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user

lkwg82 avatar Apr 08 '24 15:04 lkwg82

thanks, this was brought up previously with the Docker official images maintainers and the answer was to keep the default user as root, unfortunately I cannot find the issue where this was brought up

carlossg avatar Apr 08 '24 21:04 carlossg

Here it is: https://github.com/carlossg/docker-maven/pull/8#issuecomment-151805689

This would mean any user runs as root or need to inherit from this image to run as non-root.

What about to make it secure by default and open to run as root? (inverse the current behaviour + docs)

lkwg82 avatar Apr 09 '24 12:04 lkwg82

this comment here from official images mantainers https://github.com/docker-library/official-images/pull/690#issuecomment-97490517

carlossg avatar Apr 15 '24 09:04 carlossg

Hmm. Do you think of ur image rather a base image or an enduser image?

When you answer base image, I would offer to add an non-root image besides your base image.

lkwg82 avatar Apr 16 '24 09:04 lkwg82

it is a base image, I could add a nonroot image, but would need to somehow be generated as I don't want to maintain 2x the images

carlossg avatar Apr 16 '24 12:04 carlossg

Is there already some parameterization system in place which might allow this repo to publish an alternate set of tags that would switch to a nonroot user?

As it stands, this image is ~hard~ less than obvious how to use directly in a CI system which for example enforces K8s PSA at the restricted level. In Jenkins (edit as of https://github.com/jenkinsci/kubernetes-plugin/pull/1571):

podTemplate(yaml: '''
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: maven
    image: maven
    command:
    - sleep
    args:
    - infinity
    securityContext:
      runAsUser: 1000
    env:
    - name: MAVEN_OPTS
      value: -Duser.home=/home/jenkins/agent
''') {
    node(POD_LABEL) {
        git 'https://github.com/jglick/simple-maven-project-with-tests'
        container('maven') {
            sh 'mvn -B -ntp compile'
        }
    }
}

or if you prefer

podTemplate(containers: [containerTemplate(name: 'maven', image: 'maven', command: 'sleep', args: 'infinity', runAsUser: '1000', envVars: [envVar(key: 'MAVEN_OPTS', value: '-Duser.home=/home/jenkins/agent')])]) {
    // … as before
}

jglick avatar Jun 04 '24 21:06 jglick

There is some code generation here https://github.com/carlossg/docker-maven/blob/main/publish.sh#L19

Would need something to create new dies for the nonroot variants

carlossg avatar Jun 05 '24 04:06 carlossg