-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't run docker containers as root #400
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #400 +/- ##
==========================================
- Coverage 87.38% 85.17% -2.22%
==========================================
Files 76 72 -4
Lines 3386 3116 -270
==========================================
- Hits 2959 2654 -305
- Misses 427 462 +35 ☔ View full report in Codecov by Sentry. |
run as non-root users.
the correct env files in. No need to do it here as well, and it was failing due to lack of build args.
…n set file permissions correctly for the export directory, which is needed so that it can be deleted from inside the container.
creation later on
sense to delete stuff afterwards from the host side rather than the container side.
export variables any more.
enforce this to avoid any weird surprises.
Had to run using Added as a secondary group and as its just a file permission I think that'd be fine. Example of permission error for a directory:
|
Co-authored-by: Milan Malfait <[email protected]>
Following good practice: https://github.com/hadolint/hadolint/wiki/DL3059
# Conflicts: # .github/workflows/main.yml # docker/hasher-api/Dockerfile # docker/imaging-api/Dockerfile # docker/orthanc-anon/Dockerfile # docker/orthanc/Dockerfile # docker/pixl-python/Dockerfile # pixl_imaging/tests/docker-compose.yml # test/conftest.py
# Conflicts: # .github/workflows/main.yml # docker/hasher-api/Dockerfile # docker/imaging-api/Dockerfile # docker/orthanc-anon/Dockerfile # docker/orthanc/Dockerfile # docker/pixl-python/Dockerfile # pixl_imaging/tests/docker-compose.yml # test/conftest.py
|
||
COPY --chown=orthanc:orthanc ./orthanc/orthanc-anon/plugin/pixl.py /etc/orthanc/pixl.py | ||
COPY --chown=orthanc:orthanc ./orthanc/orthanc-anon/config /run/secrets | ||
|
||
RUN sed -i "s/\${ORTHANC_CONCURRENT_JOBS}/${ORTHANC_CONCURRENT_JOBS:-5}/g" /run/secrets/orthanc.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ORTHANC_CONCURRENT_JOBS
doesn't seem to be declared as a build ARG for pixl_orthanc_anon
. Is it just reverting to the given default value?
Hmm I'd look for missing env variables for the failure |
Fixes #234. Waiting for testing on GAE before merging.
Note the addition of two new variables
PIXL_USER_UID
andPIXL_USER_GID
Firstly merge all the Dockerfiles for images that we control (imaging, export, hasher) to make this process easier.
Run all our python containers as the user/group pixl, which we create as part of the build process, using the UID/GID as specified in the config.
Export API mounts export dir read-only as it doesn't need to write any more.
Document how the host must be set up for this to work.
Do same for orthanc images.