Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-root container image #437

Merged
merged 3 commits into from
Aug 16, 2023
Merged

Non-root container image #437

merged 3 commits into from
Aug 16, 2023

Conversation

sybereal
Copy link
Collaborator

Pull Request

Configure container image to run as a non-root user. Based on, supersedes, and closes #370.

How Has This Been Tested?

Local build and manual test.

Checklist

  • I have formatted the title correctly and precisely
  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas and public classes/methods
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings (performed checkstyle check locally)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have added/updated copyright headers

tsk9 and others added 3 commits August 16, 2023 14:02
@tsk9 @sybereal
Make image work in a nonroot environment
e705896
@sybereal
build(docker): fully-qualified image names
bced3da 
Consistency and compatibility with more container runtimes and builders.
@sybereal
build(docker): rewrite to use unprivileged NGINX
37d4b4c 
Instead of manually modifying the image to work in a non-root
environment, use the official unprivileged NGINX image. To install
packages and perform other privileged tasks, temporarily switch to root
and subsequently switch back.

Additionally, use the native envsubst templating already integrated into
the NGINX images instead of recreating it. The reason it was not
triggering before is that the entrypoint script in the base image checks
if the command is `nginx` or `nginx-debug` and if not just executes the
command directly without running any further setup.
@sybereal sybereal added task/refactor Code needs refactoring area/docker A docker related issue labels Aug 16, 2023
@sybereal sybereal mentioned this pull request Aug 16, 2023
Closed
richardtreier
richardtreier approved these changes Aug 16, 2023
View reviewed changes
Copy link
Collaborator

@richardtreier richardtreier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

docker/Dockerfile Show resolved Hide resolved
@richardtreier richardtreier mentioned this pull request Aug 16, 2023
Closed
@sybereal sybereal enabled auto-merge (squash) August 16, 2023 13:29
@sybereal sybereal merged commit 6912794 into main Aug 16, 2023
10 checks passed
@sybereal sybereal deleted the docker-nonroot branch August 16, 2023 13:47
richardtreier pushed a commit that referenced this pull request Aug 31, 2023
@sybereal @tsk9 @richardtreier
ci: non-root container image (#437)
7f732a1 
Make image work in a nonroot environment.

* Docker: fully-qualified image names

Consistency and compatibility with more container runtimes and builders.

* Docker: rewrite to use unprivileged NGINX

Instead of manually modifying the image to work in a non-root
environment, use the official unprivileged NGINX image. To install
packages and perform other privileged tasks, temporarily switch to root
and subsequently switch back.

Additionally, use the native envsubst templating already integrated into
the NGINX images instead of recreating it. The reason it was not
triggering before is that the entrypoint script in the base image checks
if the command is `nginx` or `nginx-debug` and if not just executes the
command directly without running any further setup.

---------

Co-authored-by: Thomas <[email protected]>
richardtreier added a commit that referenced this pull request Sep 1, 2023
@richardtreier
chore: revert "ci: non-root container image (#437)" for MS8 as it cha…
c87e35e 
…nges a port

This reverts commit 7f732a1.
richardtreier added a commit that referenced this pull request Sep 1, 2023
@richardtreier
chore: revert "ci: non-root container image (#437)" for MS8 as it cha…
e673be7 
…nges a port (#466)

This reverts commit 7f732a1.
richardtreier added a commit that referenced this pull request Sep 1, 2023
@richardtreier
chore: revert "ci: non-root container image (#437)" for MS8 as it cha…
8d0d2ce 
…nges a port

This reverts commit 7f732a1.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richardtreier richardtreier richardtreier approved these changes

Assignees

@richardtreier richardtreier

Labels
area/docker A docker related issue task/refactor Code needs refactoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sybereal @richardtreier @tsk9