New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a numeric USER instruction in Dockerfiles #1073

Closed

srguglielmo wants to merge 1 commit into SeleniumHQ:master from srguglielmo:fix-k8s-runasnonroot

Contributor

srguglielmo commented Jun 30, 2020 •

edited

Loading

Description

By using a numeric USER instruction in Dockerfiles, the images are now able to pass a strict Kubernetes securityContext configuration. Specifically, runAsNonRoot, which requires a numeric user/group ID. It is also a Docker best practice. The values of 1200 and 1201 are arbitrary.

Motivation and Context

While running a Selenium grid cluster in Kubernetes, I noticed I was unable to run the images with runAsNonRoot: true due to the following error:

CreateContainerConfigError: container has runAsNonRoot and image has non-numeric user (seluser), cannot verify user is non-root

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)

Checklist

I have read the contributing document.
My change requires a change to the documentation.
I have updated the documentation accordingly.
I have added tests to cover my changes.
All new and existing tests passed.

Here's an example of the k8s config that runs successfully after this patch:

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - name: hub
        image: selenium/hub:local
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: false
          runAsNonRoot: true

I can run VERSION=local make build locally successfully. Let me know if there's anything I can change or if this can be tested somehow.

Thanks,
Steve


          Use a numeric USER instruction in Dockerfiles

ced3ea0

CLAassistant commented Jun 30, 2020 •

edited

Loading

All committers have signed the CLA.

diemol approved these changes

View reviewed changes

Member

diemol left a comment

Thank you for this PR @srguglielmo!
I added a comment several times.

Could you please send this PR to the https://github.com/SeleniumHQ/docker-selenium/tree/selenium-4-alpha branch too?

Hub/Dockerfile

		@@ -5,7 +5,7 @@
		FROM selenium/base:3.141.59-20200525

Member

diemol Jul 13, 2020

Could you please only change the Dockerfile.txt files?

NodeBase/Dockerfile

		@@ -75,7 +75,7 @@ RUN apt-get -qqy update \
		# Run the following commands as non-privileged user

Member

diemol Jul 13, 2020

Could you please only change the Dockerfile.txt files?

NodeChrome/Dockerfile

               COPY wrap_chrome_binary /opt/bin/wrap_chrome_binary
               RUN /opt/bin/wrap_chrome_binary
-              USER seluser
+              USER 1200

Member

diemol Jul 13, 2020

Could you please only change the Dockerfile.txt files?

NodeChromeDebug/Dockerfile

@@ @@ -24,7 +24,7 @@ RUN apt-get update -qqy \ @@
                   fluxbox \
                 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
-              USER seluser
+              USER 1200

Member

diemol Jul 13, 2020

Could you please only change the Dockerfile.txt files?

NodeFirefox/Dockerfile

                 && chmod 755 /opt/geckodriver-$GK_VERSION \
                 && ln -fs /opt/geckodriver-$GK_VERSION /usr/bin/geckodriver
-              USER seluser
+              USER 1200

Member

diemol Jul 13, 2020

Could you please only change the Dockerfile.txt files?

StandaloneChromeDebug/Dockerfile

@@ @@ -5,7 +5,7 @@ @@
               FROM selenium/node-chrome-debug:3.141.59-20200525
               LABEL authors=SeleniumHQ
-              USER seluser
+              USER 1200

Member

diemol Jul 13, 2020

Could you please only change the Dockerfile.txt files?

StandaloneFirefox/Dockerfile

@@ @@ -5,7 +5,7 @@ @@
               FROM selenium/node-firefox:3.141.59-20200525
               LABEL authors=SeleniumHQ
-              USER seluser
+              USER 1200

Member

diemol Jul 13, 2020

Could you please only change the Dockerfile.txt files?

StandaloneFirefoxDebug/Dockerfile

@@ @@ -5,7 +5,7 @@ @@
               FROM selenium/node-firefox-debug:3.141.59-20200525
               LABEL authors=SeleniumHQ
-              USER seluser
+              USER 1200

Member

diemol Jul 13, 2020

Could you please only change the Dockerfile.txt files?

StandaloneOpera/Dockerfile

@@ @@ -5,7 +5,7 @@ @@
               FROM selenium/node-opera:3.141.59-20200525
               LABEL authors=SeleniumHQ
-              USER seluser
+              USER 1200

Member

diemol Jul 13, 2020

Could you please only change the Dockerfile.txt files?

StandaloneOperaDebug/Dockerfile

@@ @@ -5,7 +5,7 @@ @@
               FROM selenium/node-opera-debug:3.141.59-20200525
               LABEL authors=SeleniumHQ
-              USER seluser
+              USER 1200

Member

diemol Jul 13, 2020

Could you please only change the Dockerfile.txt files?

diemol requested changes

View reviewed changes

Member

diemol left a comment

Meant to request changes not approve.

This was referenced Jul 13, 2020

Use a numeric USER instruction in Dockerfiles #1082

Merged

Use a numeric USER instruction in Dockerfiles #1083

Merged

Contributor Author

srguglielmo commented Jul 13, 2020

Replaced this PR with #1082 (master) and #1083 (selenium-4-alpha).

srguglielmo closed this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet