Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker Image: Geth/Bootnode should run as non-root user #1367

Closed
tgip-work opened this issue Mar 17, 2022 · 2 comments
Closed

Docker Image: Geth/Bootnode should run as non-root user #1367

tgip-work opened this issue Mar 17, 2022 · 2 comments
Assignees
@antonydenyer
Labels
Community Support

Comments

@tgip-work
Copy link

Rationale

Why should this feature exist?
It is good practice to run containers as non-root users in order to minimize attacking surface.

What are the use-cases?
Scanner engines currently report that the process is running as root which may violate company security compliance rules.
As existing installations may break if they switch to a container image with geth running as a different user (uid=1000) than before (uid=0) my suggestion is to provide an additional official docker image with tag suffix -non-root, e.g. quorumengineering/quorum:21.10-non-root

Implementation

Here is a proposal for the Dockerfile Dockerfile-non-root

#
# build with
# docker build -t quorumengineering/quorum:v21.7.1-non-root --rm --file=Dockerfile-non-root --network host .
#

# Build Geth in a stock Go builder container
FROM golang:1.16-alpine as builder

RUN apk add --no-cache make gcc musl-dev linux-headers git

ADD . /go-ethereum
RUN cd /go-ethereum && make geth bootnode

# Pull Geth into a second stage deploy alpine container
FROM alpine:3.15

RUN apk add --no-cache ca-certificates curl
COPY --from=builder /go-ethereum/build/bin/geth /usr/local/bin/
COPY --from=builder /go-ethereum/build/bin/bootnode /usr/local/bin/

# Add User
RUN addgroup -g 1000 quorum \
    && adduser -u 1000 -G quorum -s /bin/sh -D quorum
USER quorum

EXPOSE 8545 8546 30303 30303/udp
ENTRYPOINT ["geth"]
@antonydenyer
Copy link
Contributor

antonydenyer commented Mar 21, 2022
edited
Loading

We currently don't make any changes to the Dockerfile from upstream geth.
This should be fixed there first, then we can pull it into GoQuorum fork.

@antonydenyer antonydenyer mentioned this issue Apr 4, 2022
Closed
@antonydenyer antonydenyer self-assigned this Apr 4, 2022
@antonydenyer antonydenyer mentioned this issue Apr 7, 2022
Closed
@antonydenyer
Copy link
Contributor

Apparently this has been discussed several times upstream by the geth team ethereum/go-ethereum#24644 so it will not be merged into the upstream docker image and therefore will not be changed in the main goquorum image.

This brings us to your Dockerfile-non-root suggestion, I've not come across other repositories doing anything similar and would be reluctant to do something that is 'not standard'. There's nothing stopping someone overriding the image and changing the user. But happy to be proven wrong.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@antonydenyer antonydenyer

Labels
Community Support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antonydenyer @tgip-work