Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't run docker containers as root #400

Open
wants to merge 82 commits into
base: main
Choose a base branch
from

Conversation

jeremyestein
Copy link
Contributor

@jeremyestein jeremyestein commented May 8, 2024

Fixes #234. Waiting for testing on GAE before merging.

Note the addition of two new variables PIXL_USER_UID and PIXL_USER_GID

Firstly merge all the Dockerfiles for images that we control (imaging, export, hasher) to make this process easier.

Run all our python containers as the user/group pixl, which we create as part of the build process, using the UID/GID as specified in the config.

Export API mounts export dir read-only as it doesn't need to write any more.

Document how the host must be set up for this to work.

Do same for orthanc images.

Copy link

codecov bot commented May 8, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.17%. Comparing base (6435ebb) to head (87df99c).

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #400      +/-   ##
==========================================
- Coverage   87.38%   85.17%   -2.22%     
==========================================
  Files          76       72       -4     
  Lines        3386     3116     -270     
==========================================
- Hits         2959     2654     -305     
- Misses        427      462      +35     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

the correct env files in. No need to do it here as well, and it was
failing due to lack of build args.
…n set file

permissions correctly for the export directory, which is needed so that
it can be deleted from inside the container.
sense to delete stuff afterwards from the host side rather than the
container side.
@stefpiatek
Copy link
Contributor

Had to run using docker group GID because all mounts will preserve the group that wrote them.

Added as a secondary group and as its just a file permission I think that'd be fine.

Example of permission error for a directory:

pixl_dev-orthanc-anon-1  | E0614 14:32:09.175160             MAIN main.cpp:2123] Uncaught exception, stopping now: [boost::filesystem::directory_iterator::construct: Permission denied: "/run/secrets"]

README.md Outdated Show resolved Hide resolved
docker/hasher-api/Dockerfile Outdated Show resolved Hide resolved
stefpiatek and others added 8 commits July 18, 2024 11:23
Co-authored-by: Milan Malfait <[email protected]>
# Conflicts:
#	.github/workflows/main.yml
#	docker/hasher-api/Dockerfile
#	docker/imaging-api/Dockerfile
#	docker/orthanc-anon/Dockerfile
#	docker/orthanc/Dockerfile
#	docker/pixl-python/Dockerfile
#	pixl_imaging/tests/docker-compose.yml
#	test/conftest.py
# Conflicts:
#	.github/workflows/main.yml
#	docker/hasher-api/Dockerfile
#	docker/imaging-api/Dockerfile
#	docker/orthanc-anon/Dockerfile
#	docker/orthanc/Dockerfile
#	docker/pixl-python/Dockerfile
#	pixl_imaging/tests/docker-compose.yml
#	test/conftest.py

COPY --chown=orthanc:orthanc ./orthanc/orthanc-anon/plugin/pixl.py /etc/orthanc/pixl.py
COPY --chown=orthanc:orthanc ./orthanc/orthanc-anon/config /run/secrets

RUN sed -i "s/\${ORTHANC_CONCURRENT_JOBS}/${ORTHANC_CONCURRENT_JOBS:-5}/g" /run/secrets/orthanc.json
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ORTHANC_CONCURRENT_JOBS doesn't seem to be declared as a build ARG for pixl_orthanc_anon. Is it just reverting to the given default value?

@jeremyestein
Copy link
Contributor Author

Have split the refactoring side of this into #583 , which could possibly be merged with less risk than this PR. If we do decide to merge this, I think the fixup commit in the other branch (98fa689) should be applied here too.

@stefpiatek
Copy link
Contributor

stefpiatek commented Dec 19, 2024

Hmm I'd look for missing env variables for the failure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Do not run containers as root and do not create root owned files
5 participants