serverless-python-requirements icon indicating copy to clipboard operation
serverless-python-requirements copied to clipboard

Published 20 hours ago verified publisher icon serverless

Fix rootless dockerization

Open rtweeks opened this issue 4 years ago • 2 comments

Rootless Docker provides enhanced security for Linux users, but maps the uids and gids in ways not compatible with what this module was doing. If rootless Docker is detected, skip the unnecessary chown commands.

(fixes #589)

rtweeks avatar Feb 22 '21 00:02 rtweeks

These commits should cherry-pick cleanly on top of v5.1.0. I've essentially done that in the scoped version I released as @rtweeks/[email protected].

rtweeks avatar Feb 22 '21 15:02 rtweeks

I believe the existing tests effectively check that the chown is (still) occurring, since failure to chown would mean the resulting files would be inaccessible to the invoking user during the evaluation of the test run output. I'm not sure how it would be possible to test the "rootless" case as I believe the docker-in-docker used in the test environment always runs rooted. "Rootless" docker also requires the newuidmap and newgidmap functions, which may not be present in the testing environment.

As a mitigating circumstance, the "rootless" support is intended only for use on a local machine that is primarily dedicated to other activities (for instance, the case of a developer's machine which is primarily a desktop computer). Even if this case failed, the workaround would be the current standard: run the container in a VM as root.

rtweeks avatar Apr 15 '21 16:04 rtweeks

Hey @rtweeks - it's been a long time since this PR was proposed. I'm going to close it, if you feel like the issue is valid, please open a new issue or a new PR against the latest main branch. Thanks 🙇

pgrzesik avatar Sep 27 '22 18:09 pgrzesik