-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support non-root containers #615
support non-root containers #615
Conversation
Modify containers that fail to run as non-root.
Please add a changelog entry for this. Would you also be able to start a PR to get the Helm chart updated? |
Signed-off-by: Pierre Tessier <pierre@pierretessier.com>
I merged in from main, adding the new fraud detection service. Duplicated the same pattern from the ad service to set proper permissions on the Java agent file. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please set a changelog entry. This works great! 👍
* support non-root containers Modify containers that fail to run as non-root. * support non-root containers Signed-off-by: Pierre Tessier <pierre@pierretessier.com> * update changelog Signed-off-by: Pierre Tessier <pierre@pierretessier.com> Co-authored-by: Pierre Tessier <pierre@pierretessier.com> Co-authored-by: Juliano Costa <julianocosta89@outlook.com>
Ensure/enable containers to run as non-root
Many of the demo containers currently run as root by default. We should support running the containers under non-root UIDs to align with security best-practices and support running the demo app in restrictive environments (e.g. OpenShift).
There are two steps to reach the goal:
Enable containers to run as non-root user.
Make sure the containers can execute as non-root. Some of the containers that now launch under root are happy to run also as non-root. There are, however, a couple of containers (emailservice, adservice, frontend-proxy, postgres) which fail to run under a non-root user and need to be fixed.
Ensure the containers run as non-root by default.
This step actually applies non-root UID to all container deployments. This can either be done at launch-time by setting the user/UID in Compose/Helm, or it can be left up to the orchestrator (e.g. OpenShift UIDs). Some containers require to be run under a specific UID defined in
/etc/passwd
(e.g. envoy, postgres, apache).The PR implements the first step by fixing the services that fail to run under non-root.
opentelemetry-javaagent.jar
. Can run as any non-root UID.Gemfile.lock
+ Dockerfile cleanup. Can run as any non-root UID.envoy
user.www-data
user + Dockerfile Apache envvar substitution and cleanup.postgres
user in Compose, no image modification.redis
user in Compose, no image modification.Services with with their default users (after the PR changes) and working non-root alternatives:
rootenvoy (101)rootwww-data (33)rootpostgres (999)rootredis (999)anyuid
means any non-root UID.anyuid
containers were tested with usernobody
uid/guid 65534.Test commands:
Print container UIDs:
Assign
nobody
user to the root-by-default containers indocker-compose.yml
and test-run:TODO: Helm charts mods including default non-root uid option
Merge Requirements
For new features contributions please make sure you have completed the following
essential items:
CHANGELOG.md
updated to document new feature additionsMaintainers will not merge until the above have been completed. If you're unsure
which docs need to be changed ping the
@open-telemetry/demo-approvers.