[SERVER-71646] Docker container should be non-root if possible Created: 28/Nov/22  Updated: 29/Oct/23  Resolved: 20/Dec/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 6.3.0-rc0

Type: Improvement Priority: Major - P3
Reporter: Ryan Egesdahl (Inactive) Assignee: Ryan Egesdahl (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Backwards Compatibility: Minor Change
Participants:
Linked BF Score: 35

 Description   

We currently call the entrypoint script with gosu/sudo so we can do some first-run commands. However, it would be much better for our customers in high-security environments if we could make the container run entirely non-root. This will require pulling all the setup commands out of the entrypoint script and into Dockerfile and setting an explicit USER directive. If it's not possible to be completely non-root, we need to restrict root access as much as possible.



 Comments   
Comment by Alex Neben [ 20/Dec/22 ]

Wait I think I may be confusing this with another PR. Same question still applies though. Also, why was this ticket reopened?

Comment by Alex Neben [ 20/Dec/22 ]

Was this functionality of the original docker container? Before this merges can we get some input from say someone on product (CC alex.ettouati@mongodb.com ) if this is an ok API change to make.

CC iryna.zhuravlova@mongodb.com fyi

Comment by Ryan Egesdahl (Inactive) [ 16/Dec/22 ]

There is a small change here that means users will no longer be able to change the user/group ids at container runtime by passing HOST_UID/HOST_GID, which would sometimes be useful for making transfers to and from the container easier. These can instead be passed as build args at container build time if they are desired. At runtime, users can pass --user to docker run for the same effect.

Generated at Thu Feb 08 06:19:36 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.