-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
container user 10001 is part of root group? #35179
Comments
Nice catch! Do you know how we could verify the GID of the user from that image? (Being based on scratch makes debugging hard) But based on dockerfile documentation:
And if we want to follow security best-practices:
We should also bring your suggestion to the repository used to publicly release the images https://github.com/open-telemetry/opentelemetry-collector-releases |
Yes, it is running as group 0. Just confirmed by running id inside the container shell:
One could use an alpine image to debug it, but if you want to confirm it on a scratch, here's my suggestion:
Let me know if I can help somehow. |
missed this comment. Sure - I'll create the issue over there also. thanks |
Alternative steps to reproduce: |
@open-telemetry/collector-contrib-maintainers this looks like a valid suggestion and should be changed along with open-telemetry/opentelemetry-collector-releases#662. |
Fixing it in #36170 |
<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description Sets a specific GID for the build container's image. <!-- Issue number (e.g. #1234) or full URL to issue, if applicable. --> #### Link to tracking issue #35179 <!--Describe what testing was performed and which tests were added.--> #### Testing (Manual) ``` $ make docker-otelcontribcol // create a sample config.yaml file $ docker run -v .:/etc/otel/ otelcontribcol $ ps -o user,group,pid,comm -ax | rg otelcontribcol 10001 10001 1903287 otelcontribcol ``` Without the changes: ``` $ ps -o user,group,pid,comm -ax | rg otelcontribcol root root 1940536 otelcontribcol ``` <!--Describe the documentation added.--> #### Documentation <!--Please delete paragraphs that you did not use before submitting.-->
<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description Sets a specific GID for the build container's image. <!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. --> #### Link to tracking issue open-telemetry#35179 <!--Describe what testing was performed and which tests were added.--> #### Testing (Manual) ``` $ make docker-otelcontribcol // create a sample config.yaml file $ docker run -v .:/etc/otel/ otelcontribcol $ ps -o user,group,pid,comm -ax | rg otelcontribcol 10001 10001 1903287 otelcontribcol ``` Without the changes: ``` $ ps -o user,group,pid,comm -ax | rg otelcontribcol root root 1940536 otelcontribcol ``` <!--Describe the documentation added.--> #### Documentation <!--Please delete paragraphs that you did not use before submitting.-->
<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description Sets a specific GID for the build container's image. <!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. --> #### Link to tracking issue open-telemetry#35179 <!--Describe what testing was performed and which tests were added.--> #### Testing (Manual) ``` $ make docker-otelcontribcol // create a sample config.yaml file $ docker run -v .:/etc/otel/ otelcontribcol $ ps -o user,group,pid,comm -ax | rg otelcontribcol 10001 10001 1903287 otelcontribcol ``` Without the changes: ``` $ ps -o user,group,pid,comm -ax | rg otelcontribcol root root 1940536 otelcontribcol ``` <!--Describe the documentation added.--> #### Documentation <!--Please delete paragraphs that you did not use before submitting.-->
Component(s)
cmd/otelcontribcol
Describe the issue you're reporting
dockerfile
It seems to me that the container is running with a user 10001 part of the 0 (root) group.
I suggest something like:
Am I missing something?
The text was updated successfully, but these errors were encountered: