container user 10001 is part of root group?

[0x6f677548]

Component(s)

cmd/otelcontribcol

Describe the issue you're reporting

dockerfile

It seems to me that the container is running with a user 10001 part of the 0 (root) group.

I suggest something like:

ARG USER_UID=10001
ARG USER_GID=10001
USER ${USER_UID}:${USER_GID}

Am I missing something?

[rogercoll]

Nice catch! Do you know how we could verify the GID of the user from that image? (Being based on scratch makes debugging hard)

But based on dockerfile documentation:

When the user doesn't have a primary group then the image (or the next instructions) will be run with the root group.

And if we want to follow security best-practices:

Consider an explicit UID/GID.
Users and groups in an image are assigned a non-deterministic UID/GID in that the "next" UID/GID is assigned regardless of image rebuilds. So, if it’s critical, you should assign an explicit UID/GID.

We should also bring your suggestion to the repository used to publicly release the images https://github.com/open-telemetry/opentelemetry-collector-releases

[0x6f677548]

Yes, it is running as group 0. Just confirmed by running id inside the container shell:

~ $ id
uid=10001 gid=0 groups=0

One could use an alpine image to debug it, but if you want to confirm it on a scratch, here's my suggestion:

FROM alpine:latest AS builder

# Install a statically linked shell and the necessary binaries
RUN apk add --no-cache busybox-static
RUN apk add --no-cache coreutils acl attr

FROM otel/opentelemetry-collector-contrib:latest AS prep

FROM scratch

# Copy the shell executable from the builder stage
COPY --from=builder /bin/busybox.static /bin/sh
# Copy id binary from the builder stage
COPY --from=builder /usr/bin/id /bin/id

# Copy required shared libraries
COPY --from=builder /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
COPY --from=builder /lib/libc.musl-x86_64.so.1 /lib/libc.musl-x86_64.so.1
COPY --from=builder /lib/libcrypto.so.3 /lib/
COPY --from=builder /lib/libacl.so.1 /lib/
COPY --from=builder /lib/libattr.so.1 /lib/
COPY --from=builder /lib/libutmps.so.0.1 /lib/
COPY --from=builder /lib/libskarnet.so.2.14 /lib/
COPY --from=builder /lib/libutmps.so.0.1 /lib/

COPY --from=prep /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=prep otelcol-contrib /otelcol-contrib

ARG USER_UID=10001
USER ${USER_UID}



# copy the config file to the /etc folder
COPY otel_collector.config.yaml /etc/otel_collector.config.yaml

EXPOSE 4317 55680 55679
ENTRYPOINT ["/otelcol-contrib"]
CMD ["--config", "/etc/otel_collector.config.yaml"]

Let me know if I can help somehow.

[0x6f677548]

We should also bring your suggestion to the repository used to publicly release the images https://github.com/open-telemetry/opentelemetry-collector-releases

missed this comment. Sure - I'll create the issue over there also. thanks

[0x6f677548]

Alternative steps to reproduce:
open-telemetry/opentelemetry-collector-releases#662 (comment)

[ChrsMark]

@open-telemetry/collector-contrib-maintainers this looks like a valid suggestion and should be changed along with open-telemetry/opentelemetry-collector-releases#662.