Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use non-root user in docker images #85

Merged
merged 2 commits into from Mar 5, 2019
Merged

Use non-root user in docker images #85

merged 2 commits into from Mar 5, 2019

Conversation

karlskewes
Copy link
Contributor

@karlskewes karlskewes commented Mar 5, 2019
edited

Description

Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Motivation and Context

Run as non-root system user and group oauth2proxy with UID/GID 2000 to avoid clashing with typical local users.
An alternative to creating a separate user is to chown binary and run as USER nobody, which also works, can amend this PR if required.

Least access privileges.
Close: #78

How Has This Been Tested?

Locally with Docker (-version):

$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]

Running in Kubernetes without securityContext:

$ kubectl exec -it oauth2-proxy-d4589dbdb-g4lhm sh
/ $ whoami
oauth2proxy

Running in Kubernetes 1.13 with the following also specified:

        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001

$ kubectl exec -it oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.

@karlskewes karlskewes requested a review from a team March 5, 2019 08:36
@karlskewes
Potentially breaking change: docker user & group
80b5873 
Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.

Least access privileges.
Close: #78

Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]
```

Running in Kubernetes 1.13 with the following also specified:
```
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
```

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->

- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
@karlskewes
Copy link
Contributor Author

@JoelSpeed - no saving old PR. :)

JoelSpeed
JoelSpeed reviewed Mar 5, 2019
View reviewed changes
Copy link
Member

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reopening this! I've made a suggestion to improve the changelog, let me know what you think on that, happy with everything else

CHANGELOG.md Outdated Show resolved Hide resolved
@JoelSpeed @karlskewes
Update CHANGELOG.md
bfccc1f 
Co-Authored-By: kskewes <karl.skewes@gmail.com>
@karlskewes karlskewes changed the title Potentially breaking change: docker user & group Use non-root user in docker images Mar 5, 2019
JoelSpeed
JoelSpeed approved these changes Mar 5, 2019
View reviewed changes
Copy link
Member

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thanks 😄

@JoelSpeed JoelSpeed merged commit 84d7c51 into oauth2-proxy:master Mar 5, 2019
@karlskewes karlskewes deleted the dockernoroot branch May 3, 2019 06:27
@karlskewes karlskewes mentioned this pull request May 3, 2019
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JoelSpeed JoelSpeed JoelSpeed approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@karlskewes @JoelSpeed