Run application as app user instead of root user? about pact_broker-docker HOT 13 CLOSED

Ok, we've released a new version of the pact-broker docker image here: https://hub.docker.com/r/pactfoundation/pact-broker/tags

It now runs without root (and also uses alpine linux and puma instead of passenger phusion). If you'd like to give it a trial run and let me know how you go, that would be great.

from pact_broker-docker.

I can't remember the full details of why it's the root user, but I think passenger needs root, from memory. Have a read of the documentation https://github.com/phusion/passenger-docker

I'll see if I can find the issue that explains why it's root.

from pact_broker-docker.

It should certainly be possible as the app user (passenger recommends it). I'm not sure why it was commented out, perhaps it's a regression/accident?

from pact_broker-docker.

Maybe the issue was that it needed root permissions for something else. I know there was something about the image that needed root. Try using app and see what happens @nateg-gladly

from pact_broker-docker.

(Sorry for delayed response) OK I will give it a try in the next few weeks and report back. Thank you!

from pact_broker-docker.

My team is also very interested in using Pact Broker, but due to security concerns do not want to run the application as root, especially as we move towards getting broker on Openshift. Would it be possible to release an image that doesn't need root?

And regarding the previous comments on running as app (or any non-root user for that matter), the container exits immediately upon being run with the error:

*** Killing all processes...
Traceback (most recent call last):
  File "/sbin/my_init", line 414, in <module>
    main(args)
  File "/sbin/my_init", line 330, in main
    import_envvars(False, False)
  File "/sbin/my_init", line 88, in import_envvars
    for envfile in listdir("/etc/container_environment"):
  File "/sbin/my_init", line 72, in listdir
    return sorted(os.listdir(path))
PermissionError: [Errno 13] Permission denied: '/etc/container_environment'

I think it has to do with, as stated above, the phusion passenger base image. Even just a Dockerfile with the following contents will reproduce the same error as above when run:

FROM phusion/passenger-ruby24:1.0.0
USER app

from pact_broker-docker.

@stt19 For openshift you might wanna look into this https://github.com/jaimeniswonger/pact-broker-openshift
I'm not using Openshift though and I have the same problem running as non-root (in my case I want to run on an kubernetes cluster with a security context set to run the pod as non-root). It is due to the phusion/passenger docker image that needs to run the /sbin/my_init as root.

from pact_broker-docker.

I've raised this issue here: phusion/passenger-docker#250

I think we'll have to find a non-passenger solution to run as non-root, because I have a vague memory of seeing a big long thread about how it's impossible to start passenger as a non-root user because it needs to manage certain processes. However, I can't find that issue any more.

from pact_broker-docker.

Ah! I think it's nginx. https://stackoverflow.com/questions/42329261/running-nginx-as-non-root-user

Because: Only root processes can listen to ports below 1024. A webserver typically runs at port 80 and/or 443. That means it needs to be started as root.

from pact_broker-docker.

@stt19 Running on Openshift is already supported: https://github.com/DiUS/pact_broker-docker#running-with-openshift

Can I ask you to find out from your security team how they expect images to run web servers on the default ports without root permissions? I am confused as to how this can happen. Do you run all your servers on ports above 1024?

from pact_broker-docker.

@bethesque About Nginx, you can setup the configuration file to listen to port 8080 and expose 8080 on the Dockerfile.
See my commit here: patvong@a6524f3

from pact_broker-docker.

Maybe we can have a branch of the broker that runs on the different port.

from pact_broker-docker.

with regards to @patvong's solution, you can map the exposed port of the pact broker in the docker-compose file, to port 80 externally

https://github.com/YOU54F/passenger-run-as-app/blob/41e7c232634f291b88236a66fa2a1a661ba9bf8e/docker-compose.yml#L9

or map the port when you run via docker run

https://github.com/YOU54F/passenger-run-as-app/blob/41e7c232634f291b88236a66fa2a1a661ba9bf8e/Dockerfile#L23

Looking into the issue, as to why we can't run as a non-root user. It appears to be with phusion-baseimage that passenger-docker is built upon, and the /sbin/my_init script that is called.

phusion/baseimage-docker#264 (comment)

The mention two things to get this to work

CMD ["/sbin/my_init","--","setuser","app","bash"]

Change perms on /etc/container_environment
https://github.com/phusion/baseimage-docker#security

# Make these world readable https://github.com/phusion/baseimage-docker#security
RUN chmod 755 /etc/container_environment
RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json

A working example taken from @bethesque's example app, replicating the issue.
https://github.com/YOU54F/passenger-run-as-app/pull/1/files

Running as a non-root user means you lose cron / syslog / logrotate

here is another issue with running as non root on the heroku platform

phusion/baseimage-docker#475

from pact_broker-docker.