New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: Simplify Dockerfile
#6320
base: master
Are you sure you want to change the base?
Conversation
Everything else was to support `setcap` which should not be required to support running non-root.
Please look into the failed ci/circleci kubernetes-test. On the surface, the change appears to have rendered coredns unresponsive to dns queries, but could of course be some flaw or inadequacy with the test. |
I don't have experience with k8s.
I am familiar with the error though. I would say it's due to the non-root user binding below port 1024. This wouldn't normally be allowed on the host with CoreDNS would it? The binary isn't built/packaged with the capability enforced? It is fine for Docker due to their internal bridge networks relaxing the port restriction. My concern is from their comment in k8s by @vinayakankugoyal , where perhaps they relied on the container to bind to It would seem that you can only keep one group happy 😅
So I guess it's your choice as maintainer which one to favour. I don't have much input for k8s as I don't know how flexible that is with DNS configuration. Docker doesn't seem to allow changing the DNS port for containers with |
This needs a DCO sign-off. You can use |
I'm aware, but in light of the k8s test failure I'll wait for maintainer decision on which route the Docker image should cater to. If |
Perhaps we should roll that back. Thoughts? |
1. Why is this pull request needed and what does it do?
TL;DR:
NET_BIND_SERVICE
capability for any user to bind privileged ports isn't required with Docker unless running with--network host
?Dockerfile
and allow those who enforce droppingNET_BIND_SERVICE
to still run thecoredns
binary on unprivileged ports which is more secure of a choice to support.setcap
applying the capability with effective + permitted set is enforcing a requirement for privileges that aren't always necessary. You can still run as non-root without this.Introduced in March 2023 to support non-root feature. It seems largely unnecessary though?
setcap
mandatingNET_BIND_SERVICE
on the/coredns
binary.COPY
forca-certificates.crt
, the image basestatic-debian11:nonroot
already has that (unless theBASE
referenceARG
is changed). I assume that the base image won't be changing much due to the expectation ofUSER nonroot:nonroot
to be successful, thus value of overwriting the contents seems questionable?scratch
image was used for the final stage, it was more compatible then, but was not merged until the switch tononroot
image which added theUSER
directive.ca-certificates.crt
is also from earlier as an improvement for the final stage withscratch
of the image build. Thus no longer important.On a host network, or perhaps a different container run-time you may need to opt for the
setcap
approach? However due to the change in Docker20.10.0
(Dec 2020), non-root users can already bind to ports below 1024:Restore the sysctl restriction and the capability will have an effect when not applied:
The only reason to use the
setcap
call inDockerfile
is to make the/coredns
binary treated as a "capability-dumb binary":root
user can bypass the restriction.setcap
is only in use to bypass the non-root restriction being respected (for any user in the container to leverage, with any port).2. Which issues (if any) are related?
Last issue raised requesting non-root feature:
Reference of unexpected problems from users affected by the non-root approach (which also changed default
WORKDIR
):Earlier attempts to apply the change:
NOTE: PR #4528 at least included a comment providing better context of the capability intent, but it's not been necessary since Docker
20.10.0
(Dec 2020) which for Docker managed networks drops the<=1024
privileged ports.3. Which documentation changes (if any) need to be made?
N/A?
4. Does this introduce a backward incompatible change or deprecation?
1.10.1
Docker image expectation without mandatory capability enforced. The entirebuild
stage is not needed, it's only purpose was to applysetcap
to a pre-builtcoredns
binary.1.10.1
working directory (I could include that, should just beWORKDIR /
).USER nonroot:nonroot
directive shouldn't be necessary as that's already what the image should run with, I left it alone for the visibility.EXPOSE
likewise is not necessary and is effectively documentation.