Parity-ethereum: Parity Docker containers run as root

Created on 23 Dec 2017  路  7Comments  路  Source: openethereum/parity-ethereum

Docker images defined in https://github.com/paritytech/parity/tree/master/docker run with UID 0, which is not very secure: although "containerized" root user has fewer capabilities than the real root, Docker developers recommend running container processes as unprivileged users.
Even if I specify unprivileged UID:GID in the --user option of the docker run command I still can not run these containers in unprivileged mode because of permissions violation. The images are configured so that the data directory is located in the /root directory of the image, which is owned by root.
It is possible to remap root user inside a Docker container to an unprivileged user on the host, but this is not covered on the wiki page.
It would also be nice if the images had special mount points for external data volumes marked by the Docker VOLUME directive.

F3-annoyance 馃挬 M1-ci 馃檳 P7-nicetohave 馃悤
Source
picture briskycat
👍2

All 7 comments

@paritytech/ci Please have a look.

@briskycat PRs are very welcome.

tomusdrw picture tomusdrw on 27 Dec 2017

We have encountered similar issue with current docker images, and are preparing a PR for non-root CentOS image, as current one is not suitable for deploying on OpenShift (Kubernetes).

We had no luck in building current Parity CentOS Docker image, so we went on and created our own. Current image is wget-ing the rpm package, but we would like to build it from source.

The Dockerfile (and the Parity OpenShift template) is currently available here, and the non-root image is published on dockerhub

Can you please check out our current Dockerfile and give feedback is it PR ready, and provide us with info is this code still used for building rpm package.

Cheers!

pinging @dec-

JohnnySheffield picture JohnnySheffield on 7 Apr 2018
👍1

@JohnnySheffield (Going over stale issues) Did you ever create that PR, is there any more help you need from us?

folsen picture folsen on 21 May 2018
👍1

I recently learned the same background and arrived at the same conclusion.
@JohnnySheffield did you manage to get anywhere with the PR?
I'm pretty slammed but would be keen, at some point, to help here

onpaws picture onpaws on 25 Jul 2018

@folsen @onpaws Here's a nonroot centos image that i've finally got to build and start. Still needs more work to reduce final image size.

JohnnySheffield picture JohnnySheffield on 27 Jul 2018
👍1

Thanks for sharing!
Will check this out over the weekend :)

onpaws picture onpaws on 27 Jul 2018

closed by #9689

debris picture debris on 30 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bryaan picture bryaan  路  3Comments
danfinlay picture danfinlay  路  3Comments
stone212 picture stone212  路  3Comments
0x7CFE picture 0x7CFE  路  3Comments
barakman picture barakman  路  3Comments