Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[REVERT][REVERRT] Add group and user in dockerfile to run container as unprivileged #502

Closed
wants to merge 2 commits into from
Closed

[REVERT][REVERRT] Add group and user in dockerfile to run container as unprivileged #502

wants to merge 2 commits into from

Conversation

Lissy93
Copy link
Owner

@Lissy93 Lissy93 commented Feb 20, 2022
edited by pull-request-badge bot
Loading

Medium Lissy93 /revert-501-revert-495-master → Lissy93/dashy Commits: 2 | Files Changed: 4 | Additions: 16 Category Overview Quality Checklist 🚫 Merge Conflicts Powered by Pull Request Badge

PR to re-apply @Singebob's changes originally released in #495.

There was an issue that caused breaking changes for users, as raised in #498 and #499

Before merging, I need to either fix this, or update the documentation appropriately.

@netlify
Copy link

netlify bot commented Feb 20, 2022
edited
Loading

✔️ Deploy Preview for dashy-dev ready!

🔨 Explore the source changes: 39dbb4c

🔍 Inspect the deploy log: https://app.netlify.com/sites/dashy-dev/deploys/6212c4e69a4b220008d6cd09

😎 Browse the preview: https://deploy-preview-502--dashy-dev.netlify.app

@viezly
Copy link

viezly bot commented Feb 20, 2022
edited
Loading

Changes preview:

Legend:

👀 Review pull request on Viezly

@Lissy93 Lissy93 linked an issue Feb 20, 2022 that may be closed by this pull request
[BUG] Cannot run as unprivileged container #340
Closed
4 tasks
@Lissy93 Lissy93 mentioned this pull request Feb 20, 2022
Merged
6 tasks
@liss-bot liss-bot added the 🚫 Merge Conflicts [PR] Submitted code needs rebasing label Mar 6, 2022
@liss-bot
Copy link
Collaborator

liss-bot commented Apr 6, 2022

This PR is stale because it has been open 6 weeks with no activity. Either remove the stale label or comment below with a short update, otherwise this PR will be closed in 5 days.

@liss-bot liss-bot added the ⚰️ Stale [ISSUE] [PR] No activity for over 1 month label Apr 6, 2022
@Lissy93 Lissy93 removed the ⚰️ Stale [ISSUE] [PR] No activity for over 1 month label Apr 6, 2022
bmonty
bmonty reviewed Apr 20, 2022
View reviewed changes
Dockerfile
WORKDIR ${DIRECTORY}

# Copy built application from build phase
COPY --from=BUILD_IMAGE --chown=${USER}:${USER} /app ./
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
COPY --from=BUILD_IMAGE --chown=${USER}:${USER} /app ./
COPY --from=BUILD_IMAGE /app ./

As long as the code doesn't need permissions to modify the source itself, I'd set the permissions so root owns the files and everyone else can read them (644). Otherwise, if there was a way for someone to take over the node process, they could add their own files and/or modify the source code.

@bmonty
Copy link

bmonty commented Apr 20, 2022
edited
Loading

In my testing to run Dashy in my Kubernetes cluster, I can't get the app to run as a non-root user. There are two main issues:

  1. Default port is 80, which is not usable by a non-root user. Easy to fix by setting the PORT variable to a higher number (8080 works).
  2. Part of the startup process does an rmdir /app/dist. If I run the code as a non-root user, it doesn't have the permissions to do this and the startup fails. I don't have a workaround for this one.

I'm not sure the changes in this PR would fix the second issue.

@bmonty bmonty mentioned this pull request Apr 23, 2022
Closed
6 tasks
@liss-bot
Copy link
Collaborator

This PR is stale because it has been open 6 weeks with no activity. Either remove the stale label or comment below with a short update, otherwise this PR will be closed in 5 days.

@liss-bot liss-bot added the ⚰️ Stale [ISSUE] [PR] No activity for over 1 month label May 21, 2022
@Lissy93 Lissy93 added 📌 Keep Open [ISSUE][PR] Prevent auto-closing and removed ⚰️ Stale [ISSUE] [PR] No activity for over 1 month labels May 23, 2022
@Lissy93 Lissy93 mentioned this pull request Jun 23, 2022
Closed
@Lissy93 Lissy93 closed this Mar 6, 2024
@freakytoad1
Copy link

In my testing to run Dashy in my Kubernetes cluster, I can't get the app to run as a non-root user. There are two main issues:

  1. Default port is 80, which is not usable by a non-root user. Easy to fix by setting the PORT variable to a higher number (8080 works).
  2. Part of the startup process does an rmdir /app/dist. If I run the code as a non-root user, it doesn't have the permissions to do this and the startup fails. I don't have a workaround for this one.

I'm not sure the changes in this PR would fix the second issue.

Did your 2nd point ever get resolved? I have this same behavior on 3.1.1 when setting runAsNonRoot
@bmonty

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmonty bmonty bmonty left review comments

Assignees
No one assigned
Labels
📌 Keep Open [ISSUE][PR] Prevent auto-closing 🚫 Merge Conflicts [PR] Submitted code needs rebasing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Cannot run as unprivileged container
4 participants
@Lissy93 @liss-bot @bmonty @freakytoad1