keep-ecdsa icon indicating copy to clipboard operation
keep-ecdsa copied to clipboard

Published 20 hours ago verified publisher icon keep-network

Run the container as a user without privileges

Open alphastorm opened this issue 5 years ago • 0 comments
trafficstars

Currently the client runs as root by default:

user@host:~/keep-core$ sudo docker run --entrypoint "" keepnetwork/keep-ecdsa-client:latest whoami
root

Per https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user it's better to run as a non-root user when possible. This copies the approach from https://github.com/prometheus/prometheus/pull/2859, which defaults to using nobody and allows overrides using the --user flag (for more discussion see https://github.com/prometheus/prometheus/issues/3441).

After the change:

user@host:~/keep-core$ sudo docker run --entrypoint "" keep-ecdsa-nobody:latest whoami
nobody

Tested by building the image from source and running my testnet node with it and the --user $UID:$GID flag (node was originally setup using these instructions).

NOTE: This is a breaking change and after landing users will need to ensure the mounted persistent directory has the correct ownership and/or they set --user correctly.

Same thing as https://github.com/keep-network/keep-core/pull/1826.

alphastorm avatar May 27 '20 17:05 alphastorm