-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
container user 10001 is group root. #662
Comments
@0x6f677548 Howdy! I'm here to assist with any bugs, questions, or contributions you have. Let's squash those bugs together! To address the issue of the OpenTelemetry Collector Contrib Docker image running as user 10001 without an assigned group, resulting in it being part of the root group, you can modify the Dockerfile to explicitly set both the user ID and group ID. Here is the suggested fix: ARG USER_UID=10001
ARG USER_GID=10001
# Create a non-root user and group with specific IDs
RUN groupadd -g ${USER_GID} otelcol-contrib && \
useradd -r -u ${USER_UID} -g otelcol-contrib otelcol-contrib
# Set the user and group to the non-root user
USER ${USER_UID}:${USER_GID}
# Copy the necessary files and set the entrypoint
COPY --chown=${USER_UID}:${USER_GID} . /etc/otelcol-contrib/
ENTRYPOINT ["/otelcol-contrib"]
CMD ["--config", "/etc/otelcol-contrib/otelcol-contrib.conf"] In this Dockerfile:
This ensures that the OpenTelemetry Collector Contrib runs with the specified non-root user and group, mitigating security risks associated with running as root [1]. |
@dosu you're almost there. You can't run groupadd and useradd on that scratch image. But good work... |
To address the issue without using # Use a base image with necessary tools to create the scratch image
FROM busybox as builder
# Create a non-root user and group with specific IDs
ARG USER_UID=10001
ARG USER_GID=10001
RUN addgroup -g ${USER_GID} -S otelcol-contrib && \
adduser -S -u ${USER_UID} -G otelcol-contrib otelcol-contrib
# Copy the OpenTelemetry Collector Contrib binary
COPY --from=opentelemetry/opentelemetry-collector-contrib:latest /otelcol-contrib /usr/bin/otelcol-contrib
# Create necessary directories and set permissions
RUN mkdir -p /etc/otelcol-contrib && \
chown -R otelcol-contrib:otelcol-contrib /etc/otelcol-contrib
# Use scratch as the base image
FROM scratch
# Copy the non-root user and group from the builder
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/group /etc/group
# Copy the OpenTelemetry Collector Contrib binary and configuration
COPY --from=builder /usr/bin/otelcol-contrib /usr/bin/otelcol-contrib
COPY --from=builder /etc/otelcol-contrib /etc/otelcol-contrib
# Set the user to the non-root user
USER ${USER_UID}:${USER_GID}
# Set the entrypoint to the OpenTelemetry Collector Contrib binary
ENTRYPOINT ["/usr/bin/otelcol-contrib"]
CMD ["--config", "/etc/otelcol-contrib/otelcol-contrib.conf"] This Dockerfile ensures that the OpenTelemetry Collector Contrib runs as the non-root user |
LGTM! |
Alternative steps to reproduce: Dockerfile:
run on docker host (in my case, wsl2 docker-desktop )
|
OK, who can open a PR? @0x6f677548 would you like to provide a patch? |
(originally reported at open-telemetry/opentelemetry-collector-contrib#35179)
All distributions are running the container as user 10001, but no group was assigned, meaning that this user will be assigned root group.
Actual config:
My suggestion of fix:
As pointed by @rogercoll, based on dockerfile documentation:
security best-practices:
This can be reproduced by shelling "id" on a modified image:
Modified docker image to include a shell and "id":
Let me know if I can help somehow.
The text was updated successfully, but these errors were encountered: