It's good practice to run processes within a container as a non-root user with restricted permissions. Even though containers are isolated from the host operating system, they do share the same kernel as the host. Also, processes within a container should be prevented from writing to where they shouldn't be allowed to as extra protection against exploitation.
Running a Docker process as a non-root user has been a Docker feature as of version 1.10. To run a Docker process as a non-root user, permissions need to be accounted for meticulously. This permission adjustment needs to be done when building a Dockerfile. You need to be aware of where in the filesystem your app might write to, and adjust the permissions accordingly. Since everything in a container is considered disposable, the container process really shouldn't be writing to too many locations once build.
Here is an annotated example of how you might create a Dockerfile where the process that runs within runs as a user with restricted permissions. This is just one example of how you can configure this.
Set your image an install a minimal set of OS dependencies as normal.
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y build-essential git \
python3-dev python3-venv \
libpq-dev postgresql-client && rm -rf /var/lib/apt/lists/*
Create a user and a group that the application will run as. In this example, we create an "app" user and group.
RUN groupadd -r app && \
useradd -r -g app -d /home/app -s /sbin/nologin -c "Docker image user" app
Next, create a base directory (SITE_DIR in this case) owned by that app user and group, and set the WORKDIR to that base directory. This is where everything in the app will live, so everything will be owned by the app user.
ENV SITE_DIR=/site/
RUN install -g app -o app -d ${SITE_DIR}
WORKDIR $SITE_DIR
Create sub directories needed for the application, also owned by the app user and group.
RUN install -g app -o app -d proj/ var/log/ htdocs/
The group sticky bit needs to be added to every directory in the base directory, so new files and directories will inherit the user and group of their parent directory.
RUN find ${SITE_DIR} -type d -exec chmod g+s {} \;
The group write permission should be set on every file and directory in the base directory.
RUN chmod -R g+w ${SITE_DIR}
Next, switch to the app user created, and subsequent commands will run as that user. We can create a virtualenv and install a packages into that virtualenv. These installed packages will be owned by that app user.
USER app
RUN python3 -m venv env/
COPY requirements/base.txt requirements.txt
RUN env/bin/pip install -r requirements.txt
Then proceed with the rest of the Dockerfile install instructions as needed.
...
CMD ["./docker-utils/run.sh"]
ENTRYPOINT ["./docker-utils/entrypoint.sh"]
When running the container with Docker or docker-compose, the process executed as ENTRYPOINT and CMD will run as the user that you specified.
However, if you'd like to override the "USER" Dockerfile directive when running the container, you can pass in the --user parameter and provide a different username.
Examples:
To override the default user when using docker-compose:
docker-compose run --user root app /bin/bash
To override the default user when using Docker:
docker run --user root -it 47b03692214d /bin/bash
Running a Docker process as a non-root user has been a Docker feature as of version 1.10. To run a Docker process as a non-root user, permissions need to be accounted for meticulously. This permission adjustment needs to be done when building a Dockerfile. You need to be aware of where in the filesystem your app might write to, and adjust the permissions accordingly. Since everything in a container is considered disposable, the container process really shouldn't be writing to too many locations once build.
Here is an annotated example of how you might create a Dockerfile where the process that runs within runs as a user with restricted permissions. This is just one example of how you can configure this.
Set your image an install a minimal set of OS dependencies as normal.
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y build-essential git \
python3-dev python3-venv \
libpq-dev postgresql-client && rm -rf /var/lib/apt/lists/*
Create a user and a group that the application will run as. In this example, we create an "app" user and group.
RUN groupadd -r app && \
useradd -r -g app -d /home/app -s /sbin/nologin -c "Docker image user" app
Next, create a base directory (SITE_DIR in this case) owned by that app user and group, and set the WORKDIR to that base directory. This is where everything in the app will live, so everything will be owned by the app user.
RUN install -g app -o app -d ${SITE_DIR}
WORKDIR $SITE_DIR
Create sub directories needed for the application, also owned by the app user and group.
RUN install -g app -o app -d proj/ var/log/ htdocs/
The group sticky bit needs to be added to every directory in the base directory, so new files and directories will inherit the user and group of their parent directory.
RUN find ${SITE_DIR} -type d -exec chmod g+s {} \;
The group write permission should be set on every file and directory in the base directory.
RUN chmod -R g+w ${SITE_DIR}
Next, switch to the app user created, and subsequent commands will run as that user. We can create a virtualenv and install a packages into that virtualenv. These installed packages will be owned by that app user.
USER app
RUN python3 -m venv env/
COPY requirements/base.txt requirements.txt
RUN env/bin/pip install -r requirements.txt
Then proceed with the rest of the Dockerfile install instructions as needed.
...
CMD ["./docker-utils/run.sh"]
ENTRYPOINT ["./docker-utils/entrypoint.sh"]
When running the container with Docker or docker-compose, the process executed as ENTRYPOINT and CMD will run as the user that you specified.
Examples:
To override the default user when using docker-compose:
docker-compose run --user root app /bin/bash
To override the default user when using Docker:
docker run --user root -it 47b03692214d /bin/bash
I like your blog, I read this blog please update more content on python, further check it once at python online course
ReplyDeleteI am very proud to read such an informative blog. i Will follow your updates in future so, please add more and more ideas.
ReplyDeletePython Training in Chennai
Python Classes in Chennai
Big data training in chennai
JAVA Training in Chennai
Digital Marketing Course in Chennai
Python Training in Chennai
Python Training in Velachery
Thank you for excellent article.Great information for new guy like antimalware service executable
ReplyDeleteadana escort - adıyaman escort - afyon escort - aksaray escort - antalya escort - aydın escort - balıkesir escort - batman escort - bitlis escort - burdur escort - bursa escort - diyarbakır escort - edirne escort - erzurum escort - eskişehir escort - eskişehir escort - eskişehir escort - eskişehir escort - gaziantep escort - gebze escort - giresun escort - hatay escort - ısparta escort - karabük escort - kastamonu escort - kayseri escort - kilis escort - kocaeli escort - konya escort - kütahya escort - malatya escort - manisa escort - maraş escort - mardin escort - mersin escort - muğla escort - niğde escort - ordu escort - osmaniye escort - sakarya escort - samsun escort - siirt escort - sincan escort - tekirdağ escort - tokat escort - uşak escort - van escort - yalova escort - yozgat escort - urfa escort - zonguldak escort
ReplyDeleteadanaescort01.com - adiyamanescortxx.com - afyonarackiralama.net - aksarayescort.net - antalyaoyunpark.com - aydinescortkiz.com - balikesirescortlar.com - batmanescortlar.com - bitlisescortlar.com - burdurescortlar.com - bursamalaysias.com - diyarbakirambar.com - edirnedespor.com - erzurumyolkosusu.com - eskisehirescortlari.com - gaziantepekspres.org - gebzeescortkiz.com - giresunmaraton.com - hataykoleji.com - ispartakpss.com - karabukteknik.com - kastamonuajans.net - kayserivalisi.com - kilisescort.com - kocaeliescortlar.com - konyaescortlar.com - kutahyaizemlak.com - malatyadataksi.com - manisaescortlar.com - marasatasoyemlak.com - mardinfanatik.com - mersinmoda.com - muglaapart.net - nigdeyapi.com - orduescortt.com - osmaniyeyorum.com - sakaryanur.com - samsunescortlar.com - siirteyatirim.com - sincanoto.com - tekirdagescortlar.com - tokatforum.com - usakbasin.com - vanescortilan.com - yalovadaemlak.com - yozgattanal.com - sanliurfadayim.com - zonguldakescort.com
ReplyDeleteaşk kitapları
ReplyDeleteyoutube abone satın al
takipçi satın al
takipçi satın al
takipçi satın al
takipcialdim.com/tiktok-takipci-satin-al/
instagram beğeni satın al
beğeni satın al
btcturk
tiktok izlenme satın al
sms onay
youtube izlenme satın al
tiktok jeton hilesi
tiktok beğeni satın al
takipçi satın al
uc satın al
sms onay
sms onay
tiktok takipçi satın al
tiktok beğeni satın al
twitter takipçi satın al
trend topic satın al
youtube abone satın al
instagram beğeni satın al
tiktok beğeni satın al
twitter takipçi satın al
trend topic satın al
youtube abone satın al
takipcialdim.com/instagram-begeni-satin-al/
perde modelleri
instagram takipçi satın al
instagram takipçi satın al
takipçi satın al
instagram takipçi satın al
betboo
marsbahis
sultanbet
kayseriescortu.com - alacam.org - xescortun.com
ReplyDeletebitcoin nasıl alınır
ReplyDeletetiktok jeton hilesi
youtube abone satın al
gate io güvenilir mi
binance referans kimliği nedir
tiktok takipçi satın al
bitcoin nasıl alınır
mobil ödeme bozdurma
mobil ödeme bozdurma
MMORPG OYUNLAR
ReplyDeleteinstagram takipçi satın al
Tiktok jeton hilesi
tiktok jeton hilesi
antalya saç ekimi
referans kimliği nedir
İnstagram takipçi satın al
metin2 pvp serverlar
İnstagram takipci satın al
Smm panel
ReplyDeleteSMM PANEL
iş ilanları
instagram takipçi satın al
HİRDAVATCİ BURADA
HTTPS://WWW.BEYAZESYATEKNİKSERVİSİ.COM.TR/
servis
JETON HİLE İNDİR
I like your post. I appreciate your blogs because they are really good. Please go to this website for Data analyst course in Bangalore. These courses are wonderful for professionals.
ReplyDeleteen son çıkan perde modelleri
ReplyDeleteen son çıkan perde modelleri
lisans satın al
yurtdışı kargo
özel ambulans
minecraft premium
uc satın al
nft nasıl alınır