Running app inside Docker as non-root user

Running app inside Docker as non-root user Техника

Recommend Projects

  • React photo

    React

  • Vue.js photo

    Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo

    Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo

    TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo

    Django

    The Web framework for perfectionists with deadlines.

  • Laravel photo

    Laravel

    A PHP framework for web artisans

  • D3 photo

    D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Visualization

    Some thing interesting about visualization, use data art

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo

    Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo

    Microsoft

    Open source projects and samples from Microsoft.

  • Google photo

    Google

    Google ❤️ Open Source for everyone.

  • Alibaba photo

    Alibaba

    Alibaba Open Source for everyone

  • D3 photo

    D3

    Data-Driven Documents codes.

  • Tencent photo

    Tencent

    China tencent open source team.

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.

Already on GitHub?
Sign in
to your account

wernight opened this issue

Jan 6, 2016

· 6 comments

Comments

@wernight

@noaho

And it failed to start.

@wernight

Did you pull the latest version? Which tag?

@noaho

I do have another step that pulls the latest version.

@wernight

If you feel the documentation isn’t clear, what would you suggest?

@noaho

@wernight

autoupdate starts as root inside the container to install/upgrade plex, then runs as UID 797 (which was randomly chosen).

If you feel the README isn’t clear, I’d appreciate suggestions to improve it.

@wernight
@noaho

initdb

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/9.6/static/app-initdb.html
Description:

So I was trying to create a new db with initdb.  I tried to run this with
the postgres user after installing the server rpm and it failed with runuser
may not be run as non-root users.   So then for fun I tried to run init db
as the root user which should have failed but instead it just reported
initializing database ... OK

According to the documentation this should have failed.  This is on centos
kernel version 3.10.0-693.11.6 and I was using the 9.6 repo.

=?utf-8?q?PG_Doc_comments_form?= <noreply@postgresql.org> writes:
> So I was trying to create a new db with initdb.  I tried to run this with
> the postgres user after installing the server rpm and it failed with runuser
> may not be run as non-root users.   So then for fun I tried to run init db
> as the root user which should have failed but instead it just reported
> initializing database ... OK

hmm, worksforme:

$ sudo initdb -D someplace
initdb: cannot be run as root
Please log in (using, e.g., "su") as the (unprivileged) user that will
own the server process.

Were you actually running initdb directly, or some script that perhaps
sudo'd internally?

            regards, tom lane


The database was created under /var/lib/pgsql/9.6/data

  • logutil-newfifo by default creates fifos with root as the owner.
    • I think a user can work around this by using -o (their user)
  • logutil-service tries to switch to the nobody user, this will fail.
  • fix-attrs.d files will likely not work.
  • the socklog-overlay add-on won’t work.
  • the catch-all logger won’t work.

Having to create a lot of these small utilities may not be super maintainable, but I don’t want to take any approach that runs large chunks of s6-overlay as root via SETUID either. And I definitely do not want any SETUID binaries that interpret things like scripts, or allow you to launch other programs as root, etc — it would make things easier but it also seems incredibly dangerous. Using SETUID should be very, very targeted and specific.

When I do su tomcat7, nothing happens.

whoami still ruturns root after doing su tomcat7

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
messagebus:x:101:104::/var/run/dbus:/bin/false
colord:x:102:105:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:103:106::/home/saned:/bin/false
tomcat7:x:104:107::/usr/share/tomcat7:/bin/false

What I’m trying to work around is this error in Hudson:

Command "git fetch -t git@________.co.za:_______/_____________.git +refs/heads/*:refs/remotes/origin/*" returned status code 128: Host key verification failed.
FROM debian:wheezy

# install java on image
RUN apt-get update
RUN apt-get install -y openjdk-7-jdk tomcat7

# install hudson on image
RUN rm -rf /var/lib/tomcat7/webapps/*
ADD ./ROOT.tar.gz /var/lib/tomcat7/webapps/

# copy hudson config over to image
RUN mkdir /usr/share/tomcat7/.hudson
ADD ./dothudson.tar.gz /usr/share/tomcat7/
RUN chown -R tomcat7:tomcat7 /usr/share/tomcat7/

# add ssh certificates
RUN mkdir /root/.ssh
ADD ssh.tar.gz /root/

# install some dependencies
RUN apt-get update
RUN apt-get install --y maven
RUN apt-get install --y git
RUN apt-get install --y subversion

# background script
ADD run.sh /root/run.sh
RUN chmod +x /root/run.sh

# expose port 8080
EXPOSE 8080


CMD ["/root/run.sh"]

I’m using the latest version of Docker (Docker version 1.0.0, build 63fe64c/1.0.0), is this a bug in Docker or am I missing something in my Dockerfile?

Issue

user@gentoo ~ $ ping localhost
ping: unknown host localhost

Troubleshooting

Potential causes

  • Malformed content or improper permissions on /etc/hosts
  • Malformed content or improper permissions on /etc/host.conf
  • Malformed content or improper permissions on /etc/nsswitch.conf

Diagnostics

One may consider nslookup or dig to be suitable diagnostic tools given the use case, however, they are applicable only when troubleshooting DNS server name resolution issues; these tools do not bother to look at /etc/hosts. strace is suitable given the diagnostic task at hand.

user@gentoo ~ $ strace -e open ping localhost
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libc.so.6", O_RDONLY)        = 3
open("/etc/resolv.conf", O_RDONLY)      = 3
open("/etc/resolv.conf", O_RDONLY)      = 3
open("/etc/nsswitch.conf", O_RDONLY)    = -1 EACCES (Permission denied)
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libnss_dns.so.2", O_RDONLY)  = 3
open("/lib/libresolv.so.2", O_RDONLY)   = 3
open("/etc/host.conf", O_RDONLY)        = 3
ping: unknown host localhost

Cause

Steps to Reproduce

Change the mode of /etc/resolv.conf, /etc/host.conf, /etc/hosts to 600.

Resolution

Change the mode of /etc/nsswitch.conf to 644.

user@gentoo ~ $ sudo chomod 644 /etc/nsswitch.conf
user@gentoo ~ $ strace -e open ping localhost
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libc.so.6", O_RDONLY)        = 3
open("/etc/resolv.conf", O_RDONLY)      = 3
open("/etc/resolv.conf", O_RDONLY)      = 3
open("/etc/nsswitch.conf", O_RDONLY)    = 3
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libnss_files.so.2", O_RDONLY) = 3
open("/etc/host.conf", O_RDONLY)        = 3
open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = 3
ping: icmp open socket: Operation not permitted

user@gentoo ~ $ ping -c 2 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.066 ms
64 bytes from localhost (127.0.0.1): icmp_req=2 ttl=64 time=0.056 ms
--- localhost ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.056/0.061/0.066/0.005 ms

I have noticed this post getting a bit of attention. A word of advice for anyone who is potentially interested in doing something like this. I would try to use Python or another language as a wrapper for your script executions. Doing native bash scripts I had problems when trying to pass through a variety of arguments to my containers. Specifically there was issues with the interpretation/escaping of » and ‘ characters by the shell.


Here is an example of my dockermagick shell script:

#!/bin/bash

### VARIABLES

DOCKER_IMAGE='acleancoder/imagemagick-full:latest'
CONTAINER_USERNAME='dummy'
CONTAINER_GROUPNAME='dummy'
HOMEDIR='/home/'$CONTAINER_USERNAME
GROUP_ID=$(id -g)
USER_ID=$(id -u)

### FUNCTIONS

create_user_cmd()
{
  echo \
    groupadd -f -g $GROUP_ID $CONTAINER_GROUPNAME '&&' \
    useradd -u $USER_ID -g $CONTAINER_GROUPNAME $CONTAINER_USERNAME '&&' \
    mkdir --parent $HOMEDIR '&&' \
    chown -R $CONTAINER_USERNAME:$CONTAINER_GROUPNAME $HOMEDIR
}

execute_as_cmd()
{
  echo \
    sudo -u $CONTAINER_USERNAME HOME=$HOMEDIR
}

full_container_cmd()
{
  echo "'$(create_user_cmd) && $(execute_as_cmd) $@'"
}

### MAIN

eval docker run \
    --rm=true \
    -a stdout \
    -v $(pwd):$HOMEDIR \
    -w $HOMEDIR \
    $DOCKER_IMAGE \
    /bin/bash -ci $(full_container_cmd $@)

This script is bound to the ‘acleancoder/imagemagick-full’ image, but that can be changed by editing the variable at the top of the script.

What it basically does is:

  • Create a user id and group within the container to match the user who executes the script from the host OS.
  • Mounts the current working directory of the host OS (using docker volumes) into home directory for the user we create within the executing docker container.
  • Sets the tmp directory as the working directory for the container.
  • Passes any arguments that are passed to the script, which will then be executed by the ‘/bin/bash‘ of the executing docker container.
$ cd ~/MyImages
$ ls
  MyImage.jpeg
$ dockermagick convert MyImage.jpeg Foo.png
$ ls
  Foo.png MyImage.jpeg

I have also attached to the ‘stdout’ so I could run the ImageMagick identify command to get info on an image on my host, for e.g.:

$ dockermagick identify MyImage.jpeg
  MyImage.jpeg JPEG 640x426 640x426+0+0 8-bit DirectClass 78.6KB 0.000u 0:00.000

There are obvious dangers about mounting the current directory and allowing any arbitrary command definition to be passed along for execution. But there are also many ways to make the script more safe/secure. I am executing this in my own non-production personal environment, so these are not of highest concern for me. But I would highly recommend you take the dangers into consideration should you choose to expand upon this script. It’s also worth me mentioning that this script doesn’t take an OS X host into consideration. The make file that I steal ideas/concepts from does take this into account, so you could extend this script to do so.

$ cd ~/MyImages
$ ls
  MyImage.jpeg
$ dockermagick convert ~/DifferentDirectory/AnotherImage.jpeg Foo.png
$ ls
  MyImage.jpeg

It’s best just to go to the directory containing the image and execute against it directly. Of course I am sure there are ways to get around this limitation too, but for me and my current needs, this will do.

Дополнительно:  Root User in Ubuntu- Important Things You Should Know
Оцените статью
Master Hi-technology
Добавить комментарий