consul-template container runs as root - breaks CISO compliance #1321
Comments
goffinf
changed the title
|
Hey @goffinf, thanks for raising this issue. Just to be sure I understand correctly... it is that the entrypoint script is run as root that is the issue? If that is correct, it seems like setting the USER in the Dockerfile would resolve this issue. Does that sound right to you? |
|
Hey John, Thanks for picking this up. Yes, as you can see from the process output above, consul-template itself runs as the consul-template user (UID=1000) within the container (and uses dumb-init to enable reaping of zombie sub-processes) but the container itself runs as root. The container is launched via the entry point script. The consul-template user is created within the Dcokerfile and the entrypoint script ensure that user is used via gosu I’m pretty sure I tried using a securityContext in the K8s manifest to run the container as UID 1000 but then consul-template itself errors on launch (I’ll do that again today and post the config and it’s output). So it may not be as straightforward as setting the USER directive ? Regards Fraser. |
|
Hey @goffinf, sorry for the delay. Got sidetracked by other priorities for a time. After playing around with this it looks like the error you get is simply due to the use of By adding a USER directive and removing the gosu it runs fine. The one issue about changing everything to run as the consul-template user is that it currently utilizes the root privs to chown the directories in the exported Volume in case the mount point has bad privs. IMO this is a bad practice anyways. I'm going to make the change and list that as a possible breaking change. |
Set USER directrive in the Dockerfile to the consul-template user created to run consul-template. Made this change as some organizations security policies require it. The only reason it wasn't done this way before was to run a chown on the (possibly) bind mounted directories and this is a bad practice anyways (who knows who the user matches on the external system). Only change the alpine image this way as the other 2 (scratch and light) purposely do as little as possible so they don't even create the user. Fixes #1321
Set USER directrive in the Dockerfile to the consul-template user created to run consul-template. Made this change as some organizations security policies require it. The only reason it wasn't done this way before was to run a chown on the (possibly) bind mounted directories and this is a bad practice anyways (who knows who the user matches on the external system). Only change the alpine image this way as the other 2 (scratch and light) purposely do as little as possible so they don't even create the user. Fixes #1321
Set USER directrive in the Dockerfile to the consul-template user created to run consul-template. Made this change as some organizations security policies require it. The only reason it wasn't done this way before was to run a chown on the (possibly) bind mounted directories and this is a bad practice anyways (who knows who the user matches on the external system). Only change the alpine image this way as the other 2 (scratch and light) purposely do as little as possible so they don't even create the user. Fixes #1321
Set USER directrive in the Dockerfile to the consul-template user created to run consul-template. Also make the UID/GID used for the consul-template user and group explicit and overrideable. The values used, if not overridden, are the same as the default values adduser and addgroup would have used (so no change to actual values). Made this change as some organizations security policies require it. The only reason it wasn't done this way before was to run a chown on the (possibly) bind mounted directories and this is a bad practice anyways (who knows who the user matches on the external system). Only change the alpine image this way as the other 2 (scratch and light) purposely do as little as possible so they don't even create the user. Fixes #1321
Set USER directrive in the Dockerfile to the consul-template user created to run consul-template. Also make the UID/GID used for the consul-template user and group explicit and overrideable. The values used, if not overridden, are the same as the default values adduser and addgroup would have used (so no change to actual values). Made this change as some organizations security policies require it. The only reason it wasn't done this way before was to run a chown on the (possibly) bind mounted directories and this is a bad practice anyways (who knows who the user matches on the external system). Only change the alpine image this way as the other 2 (scratch and light) purposely do as little as possible so they don't even create the user. Fixes #1321
Set USER directrive in the Dockerfile to the consul-template user created to run consul-template. Also make the UID/GID used for the consul-template user and group explicit and overrideable. The values used, if not overridden, are the same as the default values adduser and addgroup would have used (so no change to actual values). Made this change as some organizations security policies require it. The only reason it wasn't done this way before was to run a chown on the (possibly) bind mounted directories and this is a bad practice anyways (who knows who the user matches on the external system). Only change the alpine image this way as the other 2 (scratch and light) purposely do as little as possible so they don't even create the user. Fixes #1321
Set USER directrive in the Dockerfile to the consul-template user created to run consul-template. Also make the UID/GID used for the consul-template user and group explicit and overrideable. The values used, if not overridden, are the same as the default values adduser and addgroup would have used (so no change to actual values). Made this change as some organizations security policies require it. The only reason it wasn't done this way before was to run a chown on the (possibly) bind mounted directories and this is a bad practice anyways (who knows who the user matches on the external system). Only change the alpine image this way as the other 2 (scratch and light) purposely do as little as possible so they don't even create the user. Fixes #1321
Set USER directrive in the Dockerfile to the consul-template user created to run consul-template. Also make the UID/GID used for the consul-template user and group explicit and overrideable. The values used, if not overridden, are the same as the default values adduser and addgroup would have used (so no change to actual values). Made this change as some organizations security policies require it. The only reason it wasn't done this way before was to run a chown on the (possibly) bind mounted directories and this is a bad practice anyways (who knows who the user matches on the external system). Only change the alpine image this way as the other 2 (scratch and light) purposely do as little as possible so they don't even create the user. Fixes #1321
Version: hashicorp/consul-template:0.23.0-alpine
Whilst the consul-template process within the container runs as a non-root user the container itself runs as root.
For us (a large financial services company) running containers with the root user is explicitly dis-allowed by our CISO as a mandatory control and enforced both by image and run-time assurance policies (i.e launch of the container is blocked) Running containers as non-root is also widely recognised as a recommended security best practice.
We run consul-template containers within Kubernetes which also applies a restricted Pod Security Policy which specifically prevents containers running as root (this is also common practice)
We have asked Hashicorp support to remediate this issue, however, they have stated that consul-template is a community project and changes are only supported by issues raised in this repo.
The text was updated successfully, but these errors were encountered: