Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a static UID and GID #245

Open
stevehipwell opened this issue Jan 7, 2021 · 8 comments
Open

Use a static UID and GID #245

stevehipwell opened this issue Jan 7, 2021 · 8 comments

Comments

@stevehipwell
Copy link

The general consensus of Docker best practices include running as a non-root user and using a high static UID and GID (hexops/dockerfile for reference). It would be great if the Fluentd docker image is updated to provide a static UID and GID; this shouldn't have any impact on existing use but should make using the image in systems such as Kubernetes easier and more deterministic.

This is related to issue #48 but I think it deserves it's own issue to track the work.
@stevehipwell
Copy link
Author

I think this is also related to #173, @repeatedly @edsiper would you be interested in a PR to set fixed UID and GID values?

@repeatedly
Copy link
Member

We moved account setup to runtime by #78 before.
This trick is now not needed, right?

@stevehipwell
Copy link
Author

@repeatedly the changes in that PR around UID and GID (actually GID wasn't set) appear to have been undone. I assume because the change of UID in entrypoint would need root access.

My preference would be to set an absolute UID and GID in the dockerfile. This would work well with K8s and doesn't need any extra permissions at runtime.

@stevehipwell
Copy link
Author

@repeatedly @edsiper the current behaviour on Alpine doesn't look correct, as the user's group doesn't seem to be set to fluent. I suspect that -g might have been used where -G should have been used?

fluentd-docker-image/Dockerfile.template.erb

Line 167 in 06b0360

RUN addgroup -S fluent && adduser -S -g fluent fluent \

This results in the following output.

PS ~> docker run --rm -it --entrypoint /bin/sh fluent/fluentd:v1.14
$ id
uid=100(fluent) gid=65533(nogroup) groups=65533(nogroup)

If changes are needed here it'd be great if at same time the user uid (e.g. adduser -S -G fluent -u 1000 fluent) and group gid (e.g. addgroup -S -g 1000 fluent) could be set to absolute values?

@stevehipwell
Copy link
Author

@kenhys are you in a position to comment on #245 (comment)?

@kenhys
Copy link
Contributor

kenhys commented Nov 12, 2021

the current behaviour on Alpine doesn't look correct, as the user's group doesn't seem to be set to fluent. I suspect that -g might have been used where -G should have been used?

% docker run -u root --rm -it fluent/fluentd:v1.14-1  /bin/sh
/ # id fluent
uid=100(fluent) gid=65533(nogroup) groups=65533(nogroup),65533(nogroup)
/ # adduser -S -g fluent foo
/ # id foo
uid=101(foo) gid=65533(nogroup) groups=65533(nogroup),65533(nogroup)
/ # adduser -S -G fluent bar
/ # id bar
uid=102(bar) gid=101(fluent) groups=101(fluent),101(fluent)

Surely, -G should be used in this case.

kenhys added a commit to kenhys/fluentd-docker-image that referenced this issue Nov 12, 2021
@kenhys
Set fluent group correctly for alpine image
792a4f3 
In the previous alpine image, fluent group is not set correctly.
It should use -G for it.

  % docker run -u root --rm -it fluent/fluentd:v1.14-1  /bin/sh
  / # id fluent
  uid=100(fluent) gid=65533(nogroup) groups=65533(nogroup),65533(nogroup)
  / # adduser -S -g fluent foo
  / # id foo
  uid=101(foo) gid=65533(nogroup) groups=65533(nogroup),65533(nogroup)
  / # adduser -S -G fluent bar
  / # id bar
  uid=102(bar) gid=101(fluent) groups=101(fluent),101(fluent)

Follow up fluent#245

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>
@kenhys kenhys mentioned this issue Nov 12, 2021
Merged
@stevehipwell
Copy link
Author

Thanks @kenhys.

kenhys added a commit that referenced this issue Nov 12, 2021
@kenhys
Set fluent group correctly for alpine image
ee646ca 
In the previous alpine image, fluent group is not set correctly.
It should use -G for it.

  % docker run -u root --rm -it fluent/fluentd:v1.14-1  /bin/sh
  / # id fluent
  uid=100(fluent) gid=65533(nogroup) groups=65533(nogroup),65533(nogroup)
  / # adduser -S -g fluent foo
  / # id foo
  uid=101(foo) gid=65533(nogroup) groups=65533(nogroup),65533(nogroup)
  / # adduser -S -G fluent bar
  / # id bar
  uid=102(bar) gid=101(fluent) groups=101(fluent),101(fluent)

Follow up #245

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>
@stevehipwell
Copy link
Author

@kenhys now that the GID is being set how about making the UID & GID values absolute even if they're set to the current implicit values?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@repeatedly @kenhys @stevehipwell