Use a static UID and GID #245
Comments
|
I think this is also related to #173, @repeatedly @edsiper would you be interested in a PR to set fixed UID and GID values? |
|
We moved account setup to runtime by #78 before. |
|
@repeatedly the changes in that PR around UID and GID (actually GID wasn't set) appear to have been undone. I assume because the change of UID in entrypoint would need root access. My preference would be to set an absolute UID and GID in the dockerfile. This would work well with K8s and doesn't need any extra permissions at runtime. |
|
@repeatedly @edsiper the current behaviour on Alpine doesn't look correct, as the user's group doesn't seem to be set to fluentd-docker-image/Dockerfile.template.erb Line 167 in 06b0360 This results in the following output. PS ~> docker run --rm -it --entrypoint /bin/sh fluent/fluentd:v1.14
$ id
uid=100(fluent) gid=65533(nogroup) groups=65533(nogroup)If changes are needed here it'd be great if at same time the user uid (e.g. |
|
@kenhys are you in a position to comment on #245 (comment)? |
Surely, |
In the previous alpine image, fluent group is not set correctly. It should use -G for it. % docker run -u root --rm -it fluent/fluentd:v1.14-1 /bin/sh / # id fluent uid=100(fluent) gid=65533(nogroup) groups=65533(nogroup),65533(nogroup) / # adduser -S -g fluent foo / # id foo uid=101(foo) gid=65533(nogroup) groups=65533(nogroup),65533(nogroup) / # adduser -S -G fluent bar / # id bar uid=102(bar) gid=101(fluent) groups=101(fluent),101(fluent) Follow up fluent#245 Signed-off-by: Kentaro Hayashi <[email protected]>
|
Thanks @kenhys. |
In the previous alpine image, fluent group is not set correctly. It should use -G for it. % docker run -u root --rm -it fluent/fluentd:v1.14-1 /bin/sh / # id fluent uid=100(fluent) gid=65533(nogroup) groups=65533(nogroup),65533(nogroup) / # adduser -S -g fluent foo / # id foo uid=101(foo) gid=65533(nogroup) groups=65533(nogroup),65533(nogroup) / # adduser -S -G fluent bar / # id bar uid=102(bar) gid=101(fluent) groups=101(fluent),101(fluent) Follow up #245 Signed-off-by: Kentaro Hayashi <[email protected]>
|
@kenhys now that the GID is being set how about making the UID & GID values absolute even if they're set to the current implicit values? |
|
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 7 days |
The general consensus of Docker best practices include running as a non-root user and using a high static UID and GID (hexops/dockerfile for reference). It would be great if the Fluentd docker image is updated to provide a static UID and GID; this shouldn't have any impact on existing use but should make using the image in systems such as Kubernetes easier and more deterministic.
This is related to issue #48 but I think it deserves it's own issue to track the work.
The text was updated successfully, but these errors were encountered: