Implement dockerPermissionStrategy #1190
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
eed3si9n
force-pushed
the
wip/openshift-compat
branch
2 times, most recently
from
d8d8009 to
d3e7c6b
Compare
|
Thanks for the pull request @eed3si9n . I'll take a deeper look when I have some time. Hopefully this week. |
Fixes sbt#1189 This implements a non-root Docker container that's safer by default and compatible with Red Hat OpenShift. Current `ADD --chown=daemon:daemon opt /opt` nominally implements non-root image, but by giving ownership of the working directory to the `daemon` user, it reduces the safety. Instead we should use `chmod` to default to read-only access unless the build user opts into writable working directory. The challenge is calling `chmod` without incurring the fs layer overhead (sbt#883). [Multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/) can be used to pre-stage the files with desired file permissions. This adds new `dockerPermissionStrategy` setting which decides how file permissions are set for the working directory inside the Docker image generated by sbt-native-packager. The strategies are: - `DockerPermissionStrategy.MultiStage` (default): uses multi-stage Docker build to call chmod ahead of time. - `DockerPermissionStrategy.None`: does not attempt to change the file permissions, and use the host machine's file mode bits. - `DockerPermissionStrategy.Run`: calls `RUN` in the Dockerfile. This has regression on the resulting Docker image file size. - `DockerPermissionStrategy.CopyChown`: calls `COPY --chown` in the Dockerfile. Provided as a backward compatibility. For `MultiStage` and `Run` strategies, `dockerChmodType` is used in addition to call `chmod` during Docker build. - `DockerChmodType.UserGroupReadExecute` (default): chmod -R u=rX,g=rX - `DockerChmodType.UserGroupWriteExecute`: chmod -R u=rwX,g=rwX - `DockerChmodType.SyncGroupToUser`: chmod -R g=u - `DockerChmodType.Custom`: Custom argument provided by the user. Some application will require writing files to the working directory. In that case the setting should be changed as follows: ```scala import com.typesafe.sbt.packager.docker.DockerChmodType dockerChmodType := DockerChmodType.UserGroupWriteExecute ``` During `docker:stage`, Docker package validation is called to check if the selected strategy is compatible with the deteted Docker version. This fixes the current repeatability issue reported as sbt#1187. If the incompatibility is detected, the user is advised to either upgrade their Docker, pick another strategy, or override the `dockerVersion` setting. `daemonGroup` is set to `root` instead of copying the value from the `daemonUser` setting. This matches the semantics of `USER` as well as OpenShift, which uses gid=0.
eed3si9n
force-pushed
the
wip/openshift-compat
branch
from
914c277 to
12b5fcb
Compare
|
Cool. Let me squash the intermediate commits with failing tests. |
muuki88
requested changes
Jan 23, 2019
There was a problem hiding this comment.
Awesome PR @eed3si9n . I really like the approach 😍
Only minor comments. Could you also add the the setting to the docker.rst documentation.
muuki88
approved these changes
Jan 24, 2019
|
I always use the Squash and merge button from github 😁 |
|
Documentation in the |
eed3si9n
added a commit
to eed3si9n/sbt-native-packager
that referenced
this pull request
Jan 24, 2019
muuki88
pushed a commit
that referenced
this pull request
Jan 24, 2019
|
Hi, could anyone explain, how to make non-entrypoint executables executable? here's an example of the I tried different combinations of permission strategies and chmodtypes to no avail. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #1189
This implements a non-root Docker container that's safer by default and compatible with Red Hat OpenShift.
Current
ADD --chown=daemon:daemon opt /optandUSER daemoncombination nominally implements non-root image, but by giving ownership of the working directory to thedaemonuser, it reduces the safety.Instead we should use
chmodto default to read-only access unless the build user opts into writable working directory.The challenge is calling
chmodwithout incurring the fs layer overhead (#883).Multi-stage builds can be used to pre-stage the files with desired file permissions.
This adds new
dockerPermissionStrategysetting which decides how file permissions are set for the working directory inside the Docker image generated by sbt-native-packager. The strategies are:DockerPermissionStrategy.MultiStage(default): uses multi-stage Docker build to call chmod ahead of time.DockerPermissionStrategy.None: does not attempt to change the file permissions, and use the host machine's file mode bits.DockerPermissionStrategy.Run: callsRUNin the Dockerfile. This has regression on the resulting Docker image file size.DockerPermissionStrategy.CopyChown: callsCOPY --chownin the Dockerfile. Provided as a backward compatibility.Working directory is read-only by default
For
MultiStageandRunstrategies,dockerChmodTypeis used in addition to callchmodduring Docker build.DockerChmodType.UserGroupReadExecute(default): chmod -R u=rX,g=rXDockerChmodType.UserGroupWriteExecute: chmod -R u=rwX,g=rwXDockerChmodType.SyncGroupToUser: chmod -R g=uDockerChmodType.Custom: Custom argument provided by the user.How to opt-in to writable working directory
Some application will require writing files to the working directory.
In that case the setting should be changed as follows:
Docker package validation
During
docker:stage, Docker package validation is called to check if the selected strategy is compatible with the detected Docker version.This fixes the current repeatability issue reported as #1187. If the incompatibility is detected, the user is advised to either upgrade their Docker, pick another strategy, or override the
dockerVersionsetting.Use gid=0
daemonGroupis set torootinstead of copying the value from thedaemonUsersetting.This matches the semantics of
USERas well as OpenShift, which uses gid=0.