Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use the non-root atlantis user instead of root (cherry-pick #3886) #3964

Merged
merged 1 commit into from
Nov 11, 2023
Merged

fix: use the non-root atlantis user instead of root (cherry-pick #3886) #3964

merged 1 commit into from
Nov 11, 2023

Conversation

jamengual
Copy link
Contributor

@jamengual jamengual commented Nov 9, 2023
edited by nitrocode
Loading

what

  • Make standard use of the atlantis user and not root.
  • Removed gosu, as we're using the atlantis user anyways
  • Set DOCKER_CONTENT_TRUST=1 anywhere we build

why

  • gosu has various security issues reported (see reported issues)
  • it's not a good practice to use the root user by default

tests

references

@jamengual jamengual requested a review from a team as a code owner November 9, 2023 04:31
@github-actions github-actions bot added the build Relating to how we build Atlantis label Nov 9, 2023
@fzipi
Copy link
Contributor

fzipi commented Nov 9, 2023
edited
Loading

Probably we don't need this now?

atlantis/Dockerfile

Line 56 in fefedad

libcap2 \
and

atlantis/Dockerfile

Line 167 in fefedad

libcap~=2.69 \

@jamengual
Copy link
Contributor Author

Probably we don't need this now?

atlantis/Dockerfile

Line 56 in fefedad

libcap2 \

and

atlantis/Dockerfile

Line 167 in fefedad

libcap~=2.69 \

I do not recall why this was added, why do you think is not needed?

@jamengual jamengual added this to the v0.26.0 milestone Nov 9, 2023
@GenPage GenPage changed the title fix: use the non-root atlantis user instead of root (#3886) fix: use the non-root atlantis user instead of root (cherry-pick #3886) Nov 9, 2023
@fzipi
Copy link
Contributor

fzipi commented Nov 9, 2023

Probably we don't need this now?

atlantis/Dockerfile

Line 56 in fefedad

libcap2 \

and

atlantis/Dockerfile

Line 167 in fefedad

libcap~=2.69 \

I do not recall why this was added, why do you think is not needed?

This is just to have the setcap binary, which we are removing...

@GenPage
Copy link
Member

GenPage commented Nov 9, 2023

This is a cherry-picked PR, the original is already merged. Please open a new PR to remove libcap

Probably we don't need this now?

atlantis/Dockerfile

Line 56 in fefedad

libcap2 \

and

atlantis/Dockerfile

Line 167 in fefedad

libcap~=2.69 \

I do not recall why this was added, why do you think is not needed?

This is just to have the setcap binary, which we are removing...

@bschaatsbergen @jamengual @GenPage
fix: use the non-root atlantis user instead of root (#3886)
4a068a2 
* feat: use Atlantis user by default and get rid of gosu

* chore: set `DOCKER_CONTENT_TRUST=1`

* chore: fix chmod and chown

* feat: add a healthcheck to the debian and alpine images

* feat: removing setuid and setgid permissions prevents container privilege escalation and improve comments

* chore: remove setgid/setuid as we chown an entire directory

* chore: keep deps comment generic

* chore: grammar

* chore: remove redundant comment

* chore: rm DOCKER_CONTENT_TRUST

* chore: set uid and gid and remove passwd entry

* chore: revert gid and uid set as it's conflicting

---------

Co-authored-by: PePe Amengual <[email protected]>
@GenPage GenPage merged commit c810204 into release-0.26 Nov 11, 2023
23 checks passed
@GenPage GenPage deleted the non_root_image branch November 11, 2023 00:23
@fzipi fzipi mentioned this pull request Nov 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GenPage GenPage GenPage approved these changes

Assignees
No one assigned
Labels
build Relating to how we build Atlantis
Projects
None yet
Milestone
v0.26.0
Development

Successfully merging this pull request may close these issues.
4 participants
@jamengual @fzipi @GenPage @bschaatsbergen