Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix security issue by avoiding running container as root in Dockerfile #92

Merged
merged 8 commits into from
May 21, 2024
Merged

Fix security issue by avoiding running container as root in Dockerfile #92

merged 8 commits into from
May 21, 2024

Conversation

nataliagranato
Copy link
Contributor

This pull request addresses a security issue in the Dockerfile where the container was being run as the root user. Running containers as root can expose the system to vulnerabilities and is considered a security best practice to avoid.

Changes Made

  • Modified the Dockerfile to create and use a non-root user.

Rationale

Running containers as root can be dangerous, as if the container is compromised, the attacker would have root privileges on the host. Switching to a non-root user helps mitigate risks and follows best practices for container security.

Testing

Manual verification that the container starts correctly and the application functions as expected with the new user.

Additional Notes

Please review the modified files and test the container with the new user. Feedback is appreciated, and I am available to discuss any issues or further improvements.

cc @phsmith

@phsmith
Copy link
Owner

phsmith commented May 16, 2024

Hey @nataliagranato, thanks for the PR.

Actually, we can't change the Dockerfile like that because it's the basis for building and deploying new versions to Docker Hub and Github Packages.

But, I totally agree with you about running it as a regular user instead of root, so my suggestions are:

  1. Rollback the Dockerfile to the original version.
  2. Edit the Dockerfile again and just add the user rundeck to it.
  3. Push the changes.

@nataliagranato
Copy link
Contributor Author

Hey @nataliagranato, thanks for the PR.

Actually, we can't change the Dockerfile like that because it's the basis for building and deploying new versions to Docker Hub and Github Packages.

But, I totally agree with you about running it as a regular user instead of root, so my suggestions are:

  1. Rollback the Dockerfile to the original version.
  2. Edit the Dockerfile again and just add the user rundeck to it.
  3. Push the changes.

I returned to the previous Dockerfile adding the user. Check if it is correct.

I had tested this way, but the application didn't work, so I chose this path.

phsmith
phsmith approved these changes May 21, 2024
View reviewed changes
Copy link
Owner

@phsmith phsmith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now.

Dockerfile Outdated Show resolved Hide resolved
@phsmith phsmith merged commit d5f3c47 into phsmith:main May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phsmith phsmith phsmith approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nataliagranato @phsmith