Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run nginx completely unprivileged in container #592

Merged
merged 4 commits into from
Oct 25, 2024
Merged

Run nginx completely unprivileged in container #592

merged 4 commits into from
Oct 25, 2024

Conversation

lunkwill42
Copy link
Member

This switches the production Docker image to use the nginx-unprivileged image as its base. The original image would start nginx as root, while nginx itself would drop privileges to the nginx user.

This updated workflow will ensure nothing is started as root at all when the container starts.

Fixes #591

@lunkwill42
Run nginx completely unprivileged in container
8a6bd17 
This switches the production Docker image to use the nginx-unprivileged
image as its base.  The original image would start nginx as root, while
nginx itself would drop privileges to the nginx user.

This updated workflow will ensure nothing is started as root at all when
the container starts.
@lunkwill42 lunkwill42 self-assigned this Oct 23, 2024
@lunkwill42
Stop installing unused tree command
df85a64 
There is no need to install the `tree` command into the container
image (some old version of the image may have used it, but this hasn't
been true for a while).
@codecov-commenter
Copy link

codecov-commenter commented Oct 23, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 57.34%. Comparing base (f90dd59) to head (ab73ddc).
Report is 2 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #592   +/-   ##
=======================================
  Coverage   57.34%   57.34%           
=======================================
  Files          86       86           
  Lines        3692     3692           
  Branches      837      840    +3     
=======================================
  Hits         2117     2117           
  Misses       1566     1566           
  Partials        9        9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@lunkwill42
Do not use apk cache
6299921 
This reduces the size of the resulting image by avoiding filling the
container filesystem with the apk package cache (as suggested by
SonarCloud)
@lunkwill42
Add news fragment
ab73ddc
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@lunkwill42 lunkwill42 merged commit 92381ec into master Oct 25, 2024
4 checks passed
@lunkwill42 lunkwill42 deleted the bugfix/anti-root-in-docker-container branch October 25, 2024 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hmpf hmpf hmpf approved these changes

@johannaengland johannaengland Awaiting requested review from johannaengland

@podliashanyk podliashanyk Awaiting requested review from podliashanyk

Assignees

@lunkwill42 lunkwill42

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Docker image should not run processes as root
3 participants
@lunkwill42 @codecov-commenter @hmpf