flame icon indicating copy to clipboard operation
flame copied to clipboard

Published 20 hours ago verified publisher icon pawelmalak

[Feature] Enable non-root container build

Open luckyf opened this issue 3 years ago • 3 comments

In production environments (e.g. Kubernetes) security policies often disallow to run containers in Root-Mode with UID=0.

The following pull request enables the image to run in non-root mode.

More information: https://docs.bitnami.com/tutorials/work-with-non-root-containers/

luckyf avatar Feb 08 '22 16:02 luckyf

Guys, unfortunately it was not good idea to include chown in run because it supposes root permissions. https://github.com/pawelmalak/flame/pull/314

This commit was doing the right thing actually: https://github.com/LuckyF/flame/commit/f8b69660c218ee2eea4464ad977b8ef3868f3e23

What if someone concerned with security will try to run docker with -u <non-root-user>:<non-root-group> parameter?

andriibratanin avatar Apr 14 '22 02:04 andriibratanin

This commit was doing the right thing actually: LuckyF@f8b6966

How was this commit right if server code couldn't access anything, making app unusable?

pawelmalak avatar Apr 14 '22 11:04 pawelmalak

This commit was doing the right thing actually: LuckyF@f8b6966

How was this commit right if server code couldn't access anything, making app unusable?

As I understand it, @andriibratanin means the commit was doing the right thing because it correctly set the ownership in the image - this means there's no need to chown the dir on startup.

There is no reason for this image to run as root - it should be using this commit and #314 should be reverted.

glitchcrab avatar May 08 '22 20:05 glitchcrab