Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reworked adding non-root user to docker images. #1052

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

arahja
Copy link
Contributor

@arahja arahja commented Mar 11, 2024

This gives you the ability to run ntfy as a non-root user. fixes #966

@arahja
Copy link
Contributor Author

arahja commented Mar 11, 2024

I put notes in the original issue as to what I did to fix the issue. The short version is that i had to use the full path to the "adduser" program.

@binwiederhier
Copy link
Owner

Still fails

  ⨯ release failed after 22s                 error=docker build failed: failed to build binwiederhier/ntfy:v2.9.0-armv6: exit status 1: #0 building with "default" instance using docker driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 799B done
#1 DONE 0.1s

#2 [internal] load metadata for docker.io/library/alpine:latest
#2 DONE 0.3s

#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s

#4 [1/3] FROM docker.io/library/alpine:latest@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
#4 CACHED

#5 [internal] load build context
#5 transferring context: 36.90MB 0.7s done
#5 CANCELED

#6 [2/3] RUN /usr/sbin/adduser -D -u 1000 ntfy
#6 0.465 exec /bin/sh: exec format error
#6 ERROR: process "/bin/sh -c /usr/sbin/adduser -D -u 1000 ntfy" did not complete successfully: exit code: 1
------
 > [2/3] RUN /usr/sbin/adduser -D -u 1000 ntfy:
0.465 exec /bin/sh: exec format error
------
Dockerfile:15
--------------------
  13 |     # https://github.com/binwiederhier/ntfy/issues/894
  14 |     
  15 | >>> RUN /usr/sbin/adduser -D -u 1000 ntfy
  16 |     COPY ntfy /usr/bin
  17 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c /usr/sbin/adduser -D -u 1000 ntfy" did not complete successfully: exit code: 1

Learn more at https://goreleaser.com/errors/docker-build

@arahja
Copy link
Contributor Author

arahja commented Mar 25, 2024

Wow... not sure what I missed. It worked when I ran the make on my PC (Linux). I'll check and see if there was some way I was not using qemu to build and run the armv6 image properly.

@pred2k
Copy link

pred2k commented Mar 29, 2024

shouldn't USER ntfy be added to the Dockerfiles?

https://docs.docker.com/develop/develop-images/instructions/#user

@pred2k
Copy link

pred2k commented Mar 29, 2024

There is also a Dockerfile Best Practice saying:

Do not use a UID below 10,000
UIDs below 10,000 are a security risk on several systems, because if someone does manage to escalate privileges outside the Docker container their Docker container UID may overlap with a more privileged system user's UID granting them additional permissions. For best security, always run your processes as a UID above 10,000.

From https://github.com/hexops/dockerfile?tab=readme-ov-file#do-not-use-a-uid-below-10000

Discussion on that https://news.ycombinator.com/item?id=25621610

@arahja
Copy link
Contributor Author

arahja commented Mar 29, 2024

shouldn't USER ntfy be added to the Dockerfiles?

https://docs.docker.com/develop/develop-images/instructions/#user

I am not forcing that on the users at this time. I am merely adding this user to give them the option. You can force the container to run as a specific user once that user exists.

@arahja arahja force-pushed the add_non-root_user_to_containers_try_2 branch from ba8cd4f to 41ca76c Compare March 29, 2024 13:33
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.80%. Comparing base (fc62682) to head (41ca76c).
Report is 13 commits behind head on main.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1052   +/-   ##
=======================================
  Coverage   64.80%   64.80%           
=======================================
  Files          61       61           
  Lines        7983     7983           
=======================================
  Hits         5173     5173           
  Misses       1944     1944           
  Partials      866      866           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@arahja arahja force-pushed the add_non-root_user_to_containers_try_2 branch from 41ca76c to 5d2351a Compare March 29, 2024 13:38
…ild issue locally on ubuntu 22.04 based server.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add non-root user to ntfy container images.
4 participants