-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unroot docker examples and fix stdout permissions in container #11523
Unroot docker examples and fix stdout permissions in container #11523
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution, do you mind updating any stale docs? Thanks!
/wait
9cd3fcf
to
c0f3b58
Compare
@junr03 i have updated the relevant docs - not sure if there are others - but these seem to be the ones that directly referenced the port I have again committed separately - but will happily squash |
also, im wondering if i should add a doc about the |
Yes, please. /wait |
c0f3b58
to
c0d98a6
Compare
documentation added |
c0d98a6
to
1b1bee7
Compare
1b1bee7
to
d5ae3f3
Compare
Looks good, just a question: @phlax, do you want to tackle the access issue to |
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
d5ae3f3
to
ee2d267
Compare
@dio i added a fix for permissions on I also added it for I have tested the built image with the I wasn't entirely clear where the |
Yes, you're right. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, LGTM. Just an ask to add a comment on the decision of making the envoy
user owns stdout
and stderr
(probably since it is a common use case when we have access logging) and a tiny nit to make sure the doc is rendered as intended.
docs/root/start/start.rst
Outdated
By default the Docker image will run as the `envoy` user created at build time. | ||
|
||
The `uid` and `gid` of this user can be set at runtime using the `ENVOY_UID` and `ENVOY_GID` | ||
environment variables. This can be done, for example, on the Docker command line: | ||
|
||
$ docker run -d --name envoy -e ENVOY_UID=777 -e ENVOY_GID=777 -p 9901:9901 -p 10000:10000 envoy:v1 | ||
|
||
This can be useful if you wish to restrict or provide access to `unix` sockets inside the container, or | ||
for controlling access to an `envoy` socket from outside of the container. | ||
|
||
If you wish to run the container as the `root` user you can set `ENVOY_UID` to `0`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
ee2d267
to
6d80371
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
Commit Message: Update examples to use non-well known ports and not the root user
Additional Description:
I have updated
80
->8000
for any ports I could see that were exposed by anenvoy
container.I left one example (
load-reporting-service
) using port80
and instead added theENVOY_UID
env varSome docs (eg
docs/root/start/sandboxes
) that have port80
coded in relation to these examples, have been updatedAlso adds fix for
envoy
permissions on/dev/stdout
and/dev/stderr
Risk Level: Low
Testing: Manual testing
Docs Changes:
uid/gid
of container userRelease Notes: N/A
Fix #11506
Fix #11551