Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Use non-root default user for Docker image #2243

Merged
merged 6 commits into from
Jul 5, 2023

Conversation

matthewfeickert
Copy link
Member

@matthewfeickert matthewfeickert commented Jul 5, 2023

Description

For security reasons and to avoid the case where a user will bind mount the image and then find that they have root owned files on their machine, use a non-root default user "moby" for the Docker images that owns the Python virtual environment. "moby" has uid of 1000 as this should ensure that any files created in the container while bind mounted are owned by the user regardless of OS.

$ docker run --rm -ti --entrypoint /bin/bash -v $PWD:/home/moby/work pyhf/pyhf:debug-local
moby@a470af96916a:~/work$ echo "hi" > here.txt
moby@a470af96916a:~/work$ exit
exit
$ ls -l here.txt 
-rw-r--r-- 1 feickert feickert 3 Jul  5 11:50 here.txt

Checklist Before Requesting Reviewer

  • Tests are passing
  • "WIP" removed from the title of the pull request
  • Selected an Assignee for the PR to be responsible for the log summary

Before Merging

For the PR Assignees:

  • Summarize commit messages into a comprehensive review of the PR
* Add non-root default user 'moby' with uid 1000 that owns the Python virtual environment.
   - Set default working directory to /home/moby/work/.
* Add .dockerignore for local builds.

Sorry, something went wrong.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
@matthewfeickert matthewfeickert added feat/enhancement New feature or request Docker Involving Docker images or builds need-to-backport tmp label until can be backported to patch release branch labels Jul 5, 2023
@matthewfeickert matthewfeickert self-assigned this Jul 5, 2023
@codecov
Copy link

codecov bot commented Jul 5, 2023

Codecov Report

Patch and project coverage have no change.

Comparison is base (b654be9) 98.30% compared to head (c0dc3ba) 98.30%.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #2243   +/-   ##
=======================================
  Coverage   98.30%   98.30%           
=======================================
  Files          69       69           
  Lines        4534     4534           
  Branches      802      802           
=======================================
  Hits         4457     4457           
  Misses         45       45           
  Partials       32       32           
Flag Coverage Δ
contrib 97.88% <ø> (ø)
doctest 61.09% <ø> (ø)
unittests-3.10 96.31% <ø> (ø)
unittests-3.11 96.31% <ø> (ø)
unittests-3.8 96.33% <ø> (ø)
unittests-3.9 96.36% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@matthewfeickert matthewfeickert merged commit a28d1a3 into main Jul 5, 2023
@matthewfeickert matthewfeickert deleted the feat/make-docker-image-non-root-by-default branch July 5, 2023 17:00
@matthewfeickert matthewfeickert removed the need-to-backport tmp label until can be backported to patch release branch label Aug 16, 2023
matthewfeickert added a commit that referenced this pull request Aug 16, 2023
* Backport PR #2243
* Add non-root default user 'moby' with uid 1000 that owns the Python virtual environment.
   - Set default working directory to /home/moby/work/.
* Add .dockerignore for local builds.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Docker Involving Docker images or builds feat/enhancement New feature or request
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

None yet

2 participants