dockerfilelint icon indicating copy to clipboard operation
dockerfilelint copied to clipboard

Published 20 hours ago verified publisher icon replicatedhq

Add more detailed explanations on the reasons why sudo should be avoided

Open VonUniGE opened this issue 6 years ago • 4 comments

If sudo is included in a command, dockerfilelint outputs the following message:

Avoid installing or using sudo since it has unpredictable TTY and signal-forwarding behavior that can cause problems. If you absolutely need functionality similar to sudo, such as initializing the daemon as root but running it as non-root), consider using “gosu”.

This message should give more detailed explanations (or a link) on the reasons why sudo should be avoided.

There is also a question about this on unix.stackexchange.com : What exactly in the sudo behavior is unpredictable?

VonUniGE avatar Apr 11 '18 21:04 VonUniGE

This is actually a quote from the official docker best practices:

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user

To see the official reasoning in all detail I recommend to have a look at the gosu repository: https://github.com/tianon/gosu#gosu

SISheogorath avatar Apr 11 '18 21:04 SISheogorath

Ok, the source of the message is the official Docker documentation. But, I cannot find in the gosu repository the reasoning you mention. Can you make a citation with this reasoning?

VonUniGE avatar Apr 12 '18 07:04 VonUniGE

Have a look at the "Why?" Section of the gosu readme. It refers to a dockerfile for testing purposes. These are all kinds of edge cases that cause problems with sudo.

For a detailed description of what complicated behavior sudo implies I recommend to read the sudo man-page and their detailed description about signal handling and process model.

On 12 April 2018 09:26:05 GMT+02:00, VonUniGE [email protected] wrote:

Ok, the source of the message is the official Docker documentation. But, I cannot find in the gosu repository the reasoning you mention. Can you make a citation with this reasoning?

-- Signed Sheogorath

Sent from my Android device with K-9 Mail. Please excuse my brevity.

SISheogorath avatar Apr 12 '18 07:04 SISheogorath

Thank you for your answer.

I understand that sudo is too heavy and complicated if the only goal is to drop privileges from root to a user. But if we want to test an application in different dockerized linux distributions, I think that sudo can still be useful.

I would like that dockerfilelint gives a more detailed explanation here, in order to let the user make an informed choice and not just follow a recommendation for which he doesn't understand the reasons.

But for now, I have no better formulation to propose...

VonUniGE avatar Apr 14 '18 20:04 VonUniGE