Invalid user specified in Dockerfile

[stigok]

Why is the user and group set to 2000? I can't see it being defined anywhere, so to me it is magic, and the user is non-existent within the container. Could it be set to 65534 (nobody) instead? Either way, it would be helpful with a comment as to why a specific user is chosen.

oauth2-proxy/Dockerfile

Line 31 in 842d764

USER 2000:2000

[steakunderscore]

The UID & GID simply need to be any non-existant or non-privileged user. 65534 would be more obvious as to the intent. Did you want to open a PR for this?

[JoelSpeed]

As I see it, it's fine as it is. As @steakunderscore has said, the user doesn't need to actually exist for the container to run as a particular UID & GID.

If we do make this change, then it would have to be noted as a breaking change

[stigok]

I think it's misleading to use 2000. A different way to go about it is to actually define the user, but that will add an additional image layer.

@JoelSpeed in what way do you think its breaking?

[steakunderscore]

We should avoid adding the user: #142

[JoelSpeed]

Why does this come across as misleading? Could you elaborate on that point a bit?

I would expect normally that it shouldn't really matter which user is in the file as people shouldn't be doing anything in the containers that we are producing? It's common for applications running in containers to run as non-existent users and this is even settable at runtime by the container runtime.

Did having it as 2000 cause you some issue? I didn't see this mentioned

[stigok]

We came across it when we were setting up a securityContext for this image in Kubernetes and wanted to specify a UID to whitelist. I looked up what user this image was using by default to make it consistent.

@JoelSpeed I find 2000 to be misleading because the number hints to this being a special user. When I look around the repo for 2000, I find nothing special, hence I found it odd. I am open to this being my subjective opinion.

However, when doing some more research on the nobody user, I found some comments advising against using the nobody user for unprivileged daemons, which makes sense.

• https://wiki.ubuntu.com/nobody
• https://askubuntu.com/questions/329714/what-is-the-purpose-of-the-nobody-user

I now, instead, propose creating a dedicated system user, e.g. oath2-proxy

[steakunderscore]

Thanks for the reference about nobody. Given this I think we should not change anything.

oauth2-proxy is fine with running with no extra privileges. So using an unprivileged user is appropriate. I don't see any benefit to adding a RUN command in the Dockerfile, but I know it's had issues before. So setting the user like we are is correct. As Joel points out, it's also a common practice.

For your securityContext you can use any valid UID/GID, but unless you have a need, I would reccommend using runAsUser: 2000. The set runAsUser will override the USER 2000:2000 line in the Dockerfile. Since k8s doesn't support UID namepsace remapping the only thing that you need to be careful of is that you should avoid using the same UID as a valid user on your nodes. For oauth2-proxy, setting 2000 is both valid, but also a good bet that it's not a real user on a k8s node. On docker this is not so important as UID namespace remapping is implemented to take care of this.

[stigok]

Ok. Thanks for a healthy discussion :) How about mentioning the choice of UID/GID in the documentation somewhere?

[JoelSpeed]

We should definitely aim to improve the docs around this and have it explained somewhere