Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

container user 10001 is group root. #662

Open
0x6f677548 opened this issue Sep 16, 2024 · 6 comments · May be fixed by #738
Open

container user 10001 is group root. #662

0x6f677548 opened this issue Sep 16, 2024 · 6 comments · May be fixed by #738
Labels
area:security Security and integrity issues artifact:docker

Comments

@0x6f677548
Copy link

(originally reported at open-telemetry/opentelemetry-collector-contrib#35179)

All distributions are running the container as user 10001, but no group was assigned, meaning that this user will be assigned root group.

Actual config:

ARG USER_UID=10001
USER ${USER_UID}:${USER_GID}

My suggestion of fix:

ARG USER_UID=10001
ARG USER_GID=10001
USER ${USER_UID}:${USER_GID}

As pointed by @rogercoll, based on dockerfile documentation:

When the user doesn't have a primary group then the image (or the next instructions) will be run with the root group.

security best-practices:

Consider an explicit UID/GID.
Users and groups in an image are assigned a non-deterministic UID/GID in that the "next" UID/GID is assigned regardless of image rebuilds. So, if it’s critical, you should assign an explicit UID/GID.

This can be reproduced by shelling "id" on a modified image:


~ $ id
uid=10001 gid=0 groups=0

Modified docker image to include a shell and "id":

FROM alpine:latest AS builder

# Install a statically linked shell and the necessary binaries
RUN apk add --no-cache busybox-static
RUN apk add --no-cache coreutils acl attr

FROM otel/opentelemetry-collector-contrib:latest AS prep

FROM scratch

# Copy the shell executable from the builder stage
COPY --from=builder /bin/busybox.static /bin/sh
# Copy id binary from the builder stage
COPY --from=builder /usr/bin/id /bin/id

# Copy required shared libraries
COPY --from=builder /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
COPY --from=builder /lib/libc.musl-x86_64.so.1 /lib/libc.musl-x86_64.so.1
COPY --from=builder /lib/libcrypto.so.3 /lib/
COPY --from=builder /lib/libacl.so.1 /lib/
COPY --from=builder /lib/libattr.so.1 /lib/
COPY --from=builder /lib/libutmps.so.0.1 /lib/
COPY --from=builder /lib/libskarnet.so.2.14 /lib/
COPY --from=builder /lib/libutmps.so.0.1 /lib/

COPY --from=prep /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=prep otelcol-contrib /otelcol-contrib

ARG USER_UID=10001
USER ${USER_UID}



# copy the config file to the /etc folder
COPY otel_collector.config.yaml /etc/otel_collector.config.yaml

EXPOSE 4317 55680 55679
ENTRYPOINT ["/otelcol-contrib"]
CMD ["--config", "/etc/otel_collector.config.yaml"]

Let me know if I can help somehow.

Copy link

dosubot bot commented Sep 16, 2024

@0x6f677548 Howdy! I'm here to assist with any bugs, questions, or contributions you have. Let's squash those bugs together!

To address the issue of the OpenTelemetry Collector Contrib Docker image running as user 10001 without an assigned group, resulting in it being part of the root group, you can modify the Dockerfile to explicitly set both the user ID and group ID. Here is the suggested fix:

ARG USER_UID=10001
ARG USER_GID=10001

# Create a non-root user and group with specific IDs
RUN groupadd -g ${USER_GID} otelcol-contrib && \
    useradd -r -u ${USER_UID} -g otelcol-contrib otelcol-contrib

# Set the user and group to the non-root user
USER ${USER_UID}:${USER_GID}

# Copy the necessary files and set the entrypoint
COPY --chown=${USER_UID}:${USER_GID} . /etc/otelcol-contrib/
ENTRYPOINT ["/otelcol-contrib"]
CMD ["--config", "/etc/otelcol-contrib/otelcol-contrib.conf"]

In this Dockerfile:

  • The groupadd command creates a new group otelcol-contrib with the group ID ${USER_GID}.
  • The useradd command creates a new user otelcol-contrib with the user ID ${USER_UID} and assigns it to the otelcol-contrib group.
  • The USER instruction sets the user and group for subsequent instructions and the container runtime.

This ensures that the OpenTelemetry Collector Contrib runs with the specified non-root user and group, mitigating security risks associated with running as root [1].

To continue talking to Dosu, mention @dosu.

@dosubot dosubot bot added area:security Security and integrity issues artifact:docker labels Sep 16, 2024
@0x6f677548
Copy link
Author

@dosu you're almost there. You can't run groupadd and useradd on that scratch image. But good work...

Copy link

dosubot bot commented Sep 16, 2024

To address the issue without using groupadd and useradd commands, you can create the user and group in a multi-stage build. Here's the updated Dockerfile:

# Use a base image with necessary tools to create the scratch image
FROM busybox as builder

# Create a non-root user and group with specific IDs
ARG USER_UID=10001
ARG USER_GID=10001
RUN addgroup -g ${USER_GID} -S otelcol-contrib && \
    adduser -S -u ${USER_UID} -G otelcol-contrib otelcol-contrib

# Copy the OpenTelemetry Collector Contrib binary
COPY --from=opentelemetry/opentelemetry-collector-contrib:latest /otelcol-contrib /usr/bin/otelcol-contrib

# Create necessary directories and set permissions
RUN mkdir -p /etc/otelcol-contrib && \
    chown -R otelcol-contrib:otelcol-contrib /etc/otelcol-contrib

# Use scratch as the base image
FROM scratch

# Copy the non-root user and group from the builder
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/group /etc/group

# Copy the OpenTelemetry Collector Contrib binary and configuration
COPY --from=builder /usr/bin/otelcol-contrib /usr/bin/otelcol-contrib
COPY --from=builder /etc/otelcol-contrib /etc/otelcol-contrib

# Set the user to the non-root user
USER ${USER_UID}:${USER_GID}

# Set the entrypoint to the OpenTelemetry Collector Contrib binary
ENTRYPOINT ["/usr/bin/otelcol-contrib"]
CMD ["--config", "/etc/otelcol-contrib/otelcol-contrib.conf"]

This Dockerfile ensures that the OpenTelemetry Collector Contrib runs as the non-root user otelcol-contrib with the specified UID and GID in a scratch-based Docker image.

To continue talking to Dosu, mention @dosu.

@jpkrohling
Copy link
Member

ARG USER_UID=10001
ARG USER_GID=10001
USER ${USER_UID}:${USER_GID}

LGTM!

@0x6f677548
Copy link
Author

Alternative steps to reproduce:

Dockerfile:

FROM otel/opentelemetry-collector:latest
COPY otel_collector.config.yaml /etc/otel_collector.config.yaml

run on docker host (in my case, wsl2 docker-desktop )

# ps -o user,group,pid,comm | grep "otelcol"
10001    root     12174 otelcol

@atoulme
Copy link
Contributor

atoulme commented Oct 11, 2024

OK, who can open a PR? @0x6f677548 would you like to provide a patch?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:security Security and integrity issues artifact:docker
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants