Page MenuHomePhabricator

[keyserver] Run Docker as non-root user
ClosedPublic

Authored by ashoat on Jun 1 2022, 2:15 AM.
Tags
None
Referenced Files
F3516535: D4178.id13287.diff
Sun, Dec 22, 2:51 PM
F3515656: D4178.diff
Sun, Dec 22, 9:29 AM
Unknown Object (File)
Nov 13 2024, 4:42 AM
Unknown Object (File)
Nov 10 2024, 1:40 AM
Unknown Object (File)
Nov 9 2024, 11:40 AM
Unknown Object (File)
Nov 9 2024, 11:40 AM
Unknown Object (File)
Nov 8 2024, 8:07 AM
Unknown Object (File)
Nov 7 2024, 9:44 AM

Details

Summary

See Linear task

Depends on D4177

Test Plan

Make sure docker-compose down -v && docker-compose up --build still works

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ashoat requested review of this revision.Jun 1 2022, 2:43 AM
atul added a subscriber: varun.

We can clean this up by creating the /home/comm/app directory as comm with the mkdir command in RUN step.

keyserver/Dockerfile
20 ↗(On Diff #13271)

Ran into a similar permissions issue when @varun was working on services/identity/Dockerfile.

What we found was that if a directory doesn't exist, WORKDIR will create it as root and the directory will be "owned" by root. This happens even if the WORKDIR step happens after the USER comm step... which we found confusing.

To get around the permissions issue, we created the directory as comm before the WORKDIR step. It ended up looking like the following:

RUN useradd -m comm
USER comm
...
RUN mkdir -p /home/comm/app/identity
WORKDIR /home/comm/app/identity

This should let us skip the --chown=comm argument for all the COPY commands.

This revision is now accepted and ready to land.Jun 1 2022, 8:19 AM

Thanks for the reference! I did read through services/identity/Dockerfile, and thought I had tried that... but it's very possible I did something wrong, as I wasn't operating on much sleep last night. Will give it another try

Yeah, confirming that doesn't work. I think the issue is that COPY is still run as root, even if you specify a USER. (Or perhaps it's just that directories created as a consequence of running COPY are created as root – not 100% sure.)

This revision was automatically updated to reflect the committed changes.