Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: containers will now run as the non-root rafiki user #3277

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

build: containers will now run as the non-root rafiki user #3277

wants to merge 4 commits into from

Conversation

bosbaber
Copy link

@bosbaber bosbaber commented Feb 6, 2025
edited
Loading

Changes proposed in this pull request

  • Modified both the dev and prod Dockerfiles of all the services to run as the non-root Rafiki user.
  • To achieve this we have to chown the packages back to rafiki after each copy to ensure the ownership is correct. Otherwise the build process create the symlinks it wants to make.

Context

As part of me trying to get into understanding the build pipeline, I noticed that the docker containers currently run as the root user which can be considered a security issue.

  • For dev builds we have to switch between Rafiki and root user during the build process to ensure everything links correctly
  • For prod builds, only the run-container will now run as Rafiki user, but with read-only access to the packages folder

Just to make it clear, after the change this is the status:

$ docker exec rafiki-happy-life-backend-1 touch /etc/danger-zone
touch: /etc/danger-zone: Permission denied
$ docker exec rafiki-happy-life-backend-1 whoami
rafiki

Checklist

  • Related issues linked using fixes #number
  • Tests added/updated
  • Make sure that all checks pass
  • Bruno collection updated (if necessary)
  • Documentation issue created with user-docs label (if necessary)
  • OpenAPI specs updated (if necessary)

@bosbaber bosbaber requested a review from golobitch February 6, 2025 20:19
@github-actions github-actions bot added pkg: backend Changes in the backend package. pkg: frontend Changes in the frontend package. pkg: auth Changes in the GNAP auth package. labels Feb 6, 2025
@netlify Netlify
Copy link

netlify bot commented Feb 6, 2025
edited
Loading

Deploy Preview for brilliant-pasca-3e80ec canceled.

Name Link
🔨 Latest commit b584a7e
🔍 Latest deploy log https://app.netlify.com/sites/brilliant-pasca-3e80ec/deploys/67a9b5730b7d1700089583d0

@golobitch golobitch requested a review from mkurapov February 9, 2025 12:37
@golobitch
Copy link
Collaborator

Adding also @mkurapov as a reviewer. But to me, this looks like the correct approach. However I would say that you need to create rafiki user only in the runtime container, not in any before.

@bosbaber
Copy link
Author

Adding also @mkurapov as a reviewer. But to me, this looks like the correct approach. However I would say that you need to create rafiki user only in the runtime container, not in any before.

Good point, I made this change. Note that I am now also making the packages folder read-only for the run-container.

There are some flaky tests floating around which meant I had to manually re-run the auth tests in the pipeline. I'm sure this is a topic we will discuss soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@golobitch golobitch Awaiting requested review from golobitch

@mkurapov mkurapov Awaiting requested review from mkurapov

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
pkg: auth Changes in the GNAP auth package. pkg: backend Changes in the backend package. pkg: frontend Changes in the frontend package.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bosbaber @golobitch