Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(dev): Run docker image as non-root with 'akhq' user #494

Merged
merged 1 commit into from
Nov 6, 2020
Merged

feat(dev): Run docker image as non-root with 'akhq' user #494

merged 1 commit into from
Nov 6, 2020

Conversation

thomas-chauvet
Copy link
Contributor

Following pull request #487,to avoid a user with no name we can create a user 'akhq' with proper rights on /app directory to write configuration.

The previous configuration use user 10001 which lead to an unnamed user (e.g. I have no name!@5af14cf2a980:/app$).

@chgl
Copy link
Contributor

chgl commented Nov 4, 2020

I'm perfectly fine with this change but just to give my motivation behind #487 :

Does the akhq user really need to write config? At least from my usage it seems like it will only ever read them. Having the filesystem as read-only is also solid security precaution. You can of course still give permissions to an unnamed user: chown -R 10001:10001 /app works without a passwd entry.

When running inside Kubernetes a numeric value allows the cluster to validate if the container is running as a non-root user, which is impossible to do if it is named. Platforms like Openshift additionally randomize the UID.

The previous configuration use user 10001 which lead to an unnamed user (e.g. I have no name!@5af14cf2a980:/app$).

One could login as root docker exec -u 0 -it if necessary. But regularly logging in to containers is generally advised against. From a paranoid security perspective: base images like distroless don't include a shell at all.

@thomas-chauvet
Copy link
Contributor Author

Does the akhq user really need to write config?

Yes, in my case I needed when I give the AKHQ configuration via the AKHQ_CONFIGURATION env variable.

When running inside Kubernetes a numeric value allows the cluster to validate if the container is running as a non-root user, which is impossible to do if it is named. Platforms like Openshift additionally randomize the UID.

Didn't know this, good to know when I'll move to OpenShift :)

We can close this if needed, I'll use my own Dockerfile on top of the one provided.

@chgl
Copy link
Contributor

chgl commented Nov 4, 2020

AKHQ_CONFIGURATION

Hadn't considered that! Then let's keep this pr open. And save you the headache of maintaining your own docke file! I'm cool with anything but root by default 😄

@tchiotludo tchiotludo merged commit 552a9eb into tchiotludo:dev Nov 6, 2020
@tchiotludo
Copy link
Owner

I've just the bug of AKHQ_CONFIGURATION on my local env, this one is needed 👍

Thanks :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thomas-chauvet @chgl @tchiotludo