Skip to content

Don't run docker containers as root#400

Open
jeremyestein wants to merge 82 commits intomainfrom
jeremy/docker-uid-new
Open

Don't run docker containers as root#400
jeremyestein wants to merge 82 commits intomainfrom
jeremy/docker-uid-new

Conversation

@jeremyestein
Copy link
Contributor

@jeremyestein jeremyestein commented May 8, 2024
edited
Loading

Fixes #234. Waiting for testing on GAE before merging.

Note the addition of two new variables PIXL_USER_UID and PIXL_USER_GID

Firstly merge all the Dockerfiles for images that we control (imaging, export, hasher) to make this process easier.

Run all our python containers as the user/group pixl, which we create as part of the build process, using the UID/GID as specified in the config.

Export API mounts export dir read-only as it doesn't need to write any more.

Document how the host must be set up for this to work.

Do same for orthanc images.

@codecov
Copy link

codecov bot commented May 8, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.17%. Comparing base (6435ebb) to head (87df99c).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #400      +/-   ##
==========================================
- Coverage   87.38%   85.17%   -2.22%     
==========================================
  Files          76       72       -4     
  Lines        3386     3116     -270     
==========================================
- Hits         2959     2654     -305     
- Misses        427      462      +35

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

jeremyestein added 25 commits May 8, 2024 16:17
@jeremyestein
De-dupe the pre-reqs installation code using a build arg
63d6edb
@jeremyestein
De-dupe the actual install as well
46a08e0
@jeremyestein
Add (failing) test for the condition we are aiming for: containers to
64fcbc5 
run as non-root users.
@jeremyestein
Run as user pixl, which we have to create inside the image with a
0d5cb39 
fixed user ID.
@jeremyestein
The system test already builds the required docker images, and passes
397cb68 
the correct env files in. No need to do it here as well, and it was
failing due to lack of build args.
@jeremyestein
Semi-WIP: Create pixl user+group on the GHA test runner so that we ca…
d7fa46e 
…n set file

permissions correctly for the export directory, which is needed so that
it can be deleted from inside the container.
@jeremyestein
Fix variable usage and exports dir location
d8525b1
@jeremyestein
More debugging
6facef9
@jeremyestein
debug
55db93c
@jeremyestein
debug
6f7c8dd
@jeremyestein
split build and up
0ff9148
@jeremyestein
Create user home dir in the GHA script to avoid error from failed
cce26a5 
creation later on
@jeremyestein
Why is pytest not found? Some kind of env change caused by sudo?
1e3ed88
@jeremyestein
Preserve path when running sudo
8abcb5f
@jeremyestein
Run tests as normal runner user
de4e1e9
@jeremyestein
Don't see why this needs to have docker group
5736f30
@jeremyestein
Debugging for perm failure on file deletes
09f37ea
@jeremyestein
Fix scope error
0edcf17
@jeremyestein
OK maybe this was needed after all
d0201d8
@jeremyestein
Since CLI creates everything in exports dir these days, it makes more
077a304 
sense to delete stuff afterwards from the host side rather than the
container side.
@jeremyestein
Try not creating home dir for pixl - what is even using this?
cd93adc
@jeremyestein
and therefore I can't do this any more
c0c0d96
@jeremyestein
Remove debugging
9507816
@jeremyestein
Document the reason for the permissions setup better. Don't need to
bd5cf84 
export variables any more.
@jeremyestein
If Export API is believed to only read from the export dir, then let's
de2ea9d 
enforce this to avoid any weird surprises.
@jeremyestein jeremyestein mentioned this pull request May 23, 2024
Closed
2 tasks
@stefpiatek
Copy link
Contributor

stefpiatek commented Jun 14, 2024

Had to run using docker group GID because all mounts will preserve the group that wrote them.

Added as a secondary group and as its just a file permission I think that'd be fine.

Example of permission error for a directory:

pixl_dev-orthanc-anon-1  | E0614 14:32:09.175160             MAIN main.cpp:2123] Uncaught exception, stopping now: [boost::filesystem::directory_iterator::construct: Permission denied: "/run/secrets"]

milanmlft
milanmlft approved these changes Jul 4, 2024
View reviewed changes
stefpiatek and others added 8 commits July 18, 2024 11:23
@stefpiatek @milanmlft
Update README.md
6e945c3 
Co-authored-by: Milan Malfait <m.malfait@ucl.ac.uk>
@milanmlft
Merge branch 'main' into jeremy/docker-uid-new
c7b2711
@milanmlft
Consolidate RUN commands
521b1cd 
Following good practice:
https://github.com/hadolint/hadolint/wiki/DL3059
@stefpiatek
Merge branch 'main' into jeremy/docker-uid-new
653a921
@milanmlft
Add @dram1964's instructions for setting up a PIXL user on GAE
5d1937d
@stefpiatek
Merge remote-tracking branch 'origin/main' into jeremy/docker-uid-new
b8a6de5 
# Conflicts:
#	.github/workflows/main.yml
#	docker/hasher-api/Dockerfile
#	docker/imaging-api/Dockerfile
#	docker/orthanc-anon/Dockerfile
#	docker/orthanc/Dockerfile
#	docker/pixl-python/Dockerfile
#	pixl_imaging/tests/docker-compose.yml
#	test/conftest.py
@stefpiatek
Merge remote-tracking branch 'origin/main' into jeremy/docker-uid-new
75af526 
# Conflicts:
#	.github/workflows/main.yml
#	docker/hasher-api/Dockerfile
#	docker/imaging-api/Dockerfile
#	docker/orthanc-anon/Dockerfile
#	docker/orthanc/Dockerfile
#	docker/pixl-python/Dockerfile
#	pixl_imaging/tests/docker-compose.yml
#	test/conftest.py
@jeremyestein
Merge branch 'main' into jeremy/docker-uid-new
87df99c
@jeremyestein jeremyestein mentioned this pull request Dec 18, 2024
Merged
13 tasks
jeremyestein
jeremyestein commented Dec 18, 2024
View reviewed changes
docker/orthanc/Dockerfile
COPY --chown=orthanc:orthanc ./orthanc/orthanc-anon/plugin/pixl.py /etc/orthanc/pixl.py
COPY --chown=orthanc:orthanc ./orthanc/orthanc-anon/config /run/secrets

RUN sed -i "s/\${ORTHANC_CONCURRENT_JOBS}/${ORTHANC_CONCURRENT_JOBS:-5}/g" /run/secrets/orthanc.json
Copy link
Contributor Author

@jeremyestein jeremyestein Dec 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ORTHANC_CONCURRENT_JOBS doesn't seem to be declared as a build ARG for pixl_orthanc_anon. Is it just reverting to the given default value?

@jeremyestein
Copy link
Contributor Author

jeremyestein commented Dec 18, 2024

Have split the refactoring side of this into #583 , which could possibly be merged with less risk than this PR. If we do decide to merge this, I think the fixup commit in the other branch (98fa689) should be applied here too.

@stefpiatek
Copy link
Contributor

stefpiatek commented Dec 19, 2024
edited
Loading

Hmm I'd look for missing env variables for the failure

jeremyestein added a commit that referenced this pull request Jan 6, 2025
@jeremyestein
Refactor Python and Orthanc Dockerfiles (#583)
807f84b 
Fixes #588 by de-duping the orthanc and PIXL dockerfiles. This was factored out from PR #400 which had become too big.
* Merge three pixl python dockerfiles into one multi-stage dockerfile to
avoid repetition.
* Merge orthanc dockerfiles, downloading dicom spec at a more separate stage.
* Specify healthcheck command in only one place
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dram1964 dram1964 dram1964 approved these changes

@milanmlft milanmlft milanmlft approved these changes

+1 more reviewer

@peshence peshence peshence approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Do not run containers as root and do not create root owned files

5 participants

@jeremyestein @dram1964 @stefpiatek @peshence @milanmlft