Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't run docker containers as root #400

Open
wants to merge 81 commits into
base: main
Choose a base branch
from

Conversation

jeremyestein
Copy link
Contributor

@jeremyestein jeremyestein commented May 8, 2024

Fixes #234. Waiting for testing on GAE before merging.

Note the addition of two new variables PIXL_USER_UID and PIXL_USER_GID

Firstly merge all the Dockerfiles for images that we control (imaging, export, hasher) to make this process easier.

Run all our python containers as the user/group pixl, which we create as part of the build process, using the UID/GID as specified in the config.

Export API mounts export dir read-only as it doesn't need to write any more.

Document how the host must be set up for this to work.

Do same for orthanc images.

Copy link

codecov bot commented May 8, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.15%. Comparing base (137badd) to head (75af526).

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #400      +/-   ##
==========================================
- Coverage   87.31%   85.15%   -2.17%     
==========================================
  Files          76       72       -4     
  Lines        3438     3159     -279     
==========================================
- Hits         3002     2690     -312     
- Misses        436      469      +33     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

the correct env files in. No need to do it here as well, and it was
failing due to lack of build args.
…n set file

permissions correctly for the export directory, which is needed so that
it can be deleted from inside the container.
sense to delete stuff afterwards from the host side rather than the
container side.
@stefpiatek
Copy link
Contributor

Had to run using docker group GID because all mounts will preserve the group that wrote them.

Added as a secondary group and as its just a file permission I think that'd be fine.

Example of permission error for a directory:

pixl_dev-orthanc-anon-1  | E0614 14:32:09.175160             MAIN main.cpp:2123] Uncaught exception, stopping now: [boost::filesystem::directory_iterator::construct: Permission denied: "/run/secrets"]

README.md Outdated Show resolved Hide resolved
docker/hasher-api/Dockerfile Outdated Show resolved Hide resolved
stefpiatek and others added 7 commits July 18, 2024 11:23
Co-authored-by: Milan Malfait <m.malfait@ucl.ac.uk>
# Conflicts:
#	.github/workflows/main.yml
#	docker/hasher-api/Dockerfile
#	docker/imaging-api/Dockerfile
#	docker/orthanc-anon/Dockerfile
#	docker/orthanc/Dockerfile
#	docker/pixl-python/Dockerfile
#	pixl_imaging/tests/docker-compose.yml
#	test/conftest.py
# Conflicts:
#	.github/workflows/main.yml
#	docker/hasher-api/Dockerfile
#	docker/imaging-api/Dockerfile
#	docker/orthanc-anon/Dockerfile
#	docker/orthanc/Dockerfile
#	docker/pixl-python/Dockerfile
#	pixl_imaging/tests/docker-compose.yml
#	test/conftest.py
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Do not run containers as root and do not create root owned files
5 participants