-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't run as root when building protobuf files #251
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Fredrik Skogman <[email protected]>
15b6eb0
to
25288b3
Compare
Signed-off-by: Fredrik Skogman <[email protected]>
This is a quite massive rewrite as getting everything to run as a non-root user isn't trivial. I would appreciate if as many as possible could run $ make clean
$ make
$ git status And verify that it all builds correctly and no un-expected modifications happens to the generate files. |
Signed-off-by: Fredrik Skogman <[email protected]>
|
||
# Switch user | ||
ARG uid=1000 | ||
RUN adduser -u ${uid} -S builder |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alpine does not use the "standard" useradd
command.
Nice! Works for me. |
@@ -6,15 +6,23 @@ RUN set -ex && \ | |||
apt-get install -y --no-install-recommends \ | |||
python3-pip | |||
|
|||
# Install Python dev dependencies. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Testing locally, I had to move lines 14-18, the apt-get for curl and build-essential, above 10-12, or else it failed with E: Failed to fetch http://deb.debian.org/debian/pool/main/p/perl/perl-modules-5.32_5.32.1-4%2bdeb11u2_all.deb 404 Not Found [IP: 151.101.22.132 80]
(not sure why). Can we swap the order?
python3 -m pip install --requirement /tmp/dev-requirements.txt | ||
# Switch user | ||
ARG uid=1000 | ||
RUN useradd -u ${uid} -s /bin/sh -m builder |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got an error: adduser: number 561799 is not in 0..256000 range
. Looks like https://stackoverflow.com/questions/41807026/cant-add-a-user-with-a-high-uid-in-docker-alpine would be the fix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting, I'll try to take a look later this week.
This is awesome, thanks so much for tackling this. |
@kommendorkapten, did you get a chance to look into the open comments, or would you like someone to take a look? |
@haydentherapper Last weeks was busy with preparation for KubeCon and so. I'm back now from the Easter break so I would be able to work on this again this week. |
May close #244
Summary
Make sure that docker does not run as root when building protobuf files.
Release Note
N/A
Documentation
N/A