Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to run as dspace user #1126

Open
wants to merge 1 commit into
base: clarin-v7
Choose a base branch
from

Conversation

OyvindLGjesdal
Copy link

@OyvindLGjesdal OyvindLGjesdal commented Oct 9, 2024

The current dockerfile for dspace-backend runs the backend as root. The user instruction is not transferred to the last stage, after copying to FROM tomcat:9-jdk${JDK_VERSION}.

If i login with docker exec -it ... /bin/bash and do

ps aux | grep java

I see that the owner of the running process is currently root.

Update dockerfile.depencies

  • create with a a specific userid, to reuse across stages
  • use -m flag on user-add to create home-folder, instead of mkdir and chown

Update dockerfile

  • create dspace user on last stage
  • add USER 10001 # dspace uid instruction to the last stage
  • Fix warning error consistent casing (as->AS, consistent with FROM)

Updated the merge request after attending a workshop with our IT department on kubernetes deployment. We are testing a kubernetes platform https://elastisys.io/compliantkubernetes which has been set up for us.

Some additional changes and their rationale are:

This means that your Dockerfile uses a non-numeric user and Kubernetes cannot validate whether the image truly runs as non-root.

https://elastisys.io/compliantkubernetes/user-guide/safeguards/enforce-no-root/

@OyvindLGjesdal
Copy link
Author

OyvindLGjesdal commented Oct 9, 2024

The docker-compose worked fresh (if volumes weren't created), but failed to start if I had already created volumes for assetstore and logs, using a previous image.

The ownership of these need to be changed to the new owner, from root.

Should maybe also update so that cli images also run as dspace, and not root, to not break the permissions when running maintenance tasks.

@OyvindLGjesdal OyvindLGjesdal marked this pull request as draft October 9, 2024 12:46
@OyvindLGjesdal OyvindLGjesdal force-pushed the update-to-run-as-dspace-user branch 2 times, most recently from 4a845ea to 425c19d Compare October 26, 2024 10:10
@kosarko kosarko self-assigned this Nov 6, 2024
@kosarko
Copy link
Member

kosarko commented Nov 7, 2024

The changes look reasonable. @OyvindLGjesdal it's marked as draft, anything else you plan to add, or is that because of the needed ownership change?

@OyvindLGjesdal OyvindLGjesdal marked this pull request as ready for review November 22, 2024 08:47
@OyvindLGjesdal
Copy link
Author

OyvindLGjesdal commented Nov 22, 2024

I think I the PR is ready for review. I forgot to change state and hadn't noticed the mention. Sorry!

I don't currently have a working instance running, so haven't confirmed if everything works, after the last force-push.

Updates all dockerfiles with:

* Create dspace user and group with consistent UID and GID
* Create user home
* Use numeric USER ID
* Use number ID > 10000
* Add chown using UID:GID to DOCKER COPY and ADD instructions
* Use consistent casings in Docker instructions
@OyvindLGjesdal OyvindLGjesdal force-pushed the update-to-run-as-dspace-user branch from 425c19d to 4d4adae Compare November 27, 2024 19:16
@OyvindLGjesdal
Copy link
Author

Tried to fix the failing build by adding -m to Dockerfile.dependencies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants