container user 10001 is group root.

[0x6f677548]

(originally reported at open-telemetry/opentelemetry-collector-contrib#35179)

All distributions are running the container as user 10001, but no group was assigned, meaning that this user will be assigned root group.

Actual config:

ARG USER_UID=10001
USER ${USER_UID}:${USER_GID}

My suggestion of fix:

ARG USER_UID=10001
ARG USER_GID=10001
USER ${USER_UID}:${USER_GID}

As pointed by @rogercoll, based on dockerfile documentation:

When the user doesn't have a primary group then the image (or the next instructions) will be run with the root group.

security best-practices:

Consider an explicit UID/GID.
Users and groups in an image are assigned a non-deterministic UID/GID in that the "next" UID/GID is assigned regardless of image rebuilds. So, if it’s critical, you should assign an explicit UID/GID.

This can be reproduced by shelling "id" on a modified image:

~ $ id
uid=10001 gid=0 groups=0

Modified docker image to include a shell and "id":

FROM alpine:latest AS builder

# Install a statically linked shell and the necessary binaries
RUN apk add --no-cache busybox-static
RUN apk add --no-cache coreutils acl attr

FROM otel/opentelemetry-collector-contrib:latest AS prep

FROM scratch

# Copy the shell executable from the builder stage
COPY --from=builder /bin/busybox.static /bin/sh
# Copy id binary from the builder stage
COPY --from=builder /usr/bin/id /bin/id

# Copy required shared libraries
COPY --from=builder /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
COPY --from=builder /lib/libc.musl-x86_64.so.1 /lib/libc.musl-x86_64.so.1
COPY --from=builder /lib/libcrypto.so.3 /lib/
COPY --from=builder /lib/libacl.so.1 /lib/
COPY --from=builder /lib/libattr.so.1 /lib/
COPY --from=builder /lib/libutmps.so.0.1 /lib/
COPY --from=builder /lib/libskarnet.so.2.14 /lib/
COPY --from=builder /lib/libutmps.so.0.1 /lib/

COPY --from=prep /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=prep otelcol-contrib /otelcol-contrib

ARG USER_UID=10001
USER ${USER_UID}



# copy the config file to the /etc folder
COPY otel_collector.config.yaml /etc/otel_collector.config.yaml

EXPOSE 4317 55680 55679
ENTRYPOINT ["/otelcol-contrib"]
CMD ["--config", "/etc/otel_collector.config.yaml"]

Let me know if I can help somehow.

[dosubot]

@0x6f677548 Howdy! I'm here to assist with any bugs, questions, or contributions you have. Let's squash those bugs together!

To address the issue of the OpenTelemetry Collector Contrib Docker image running as user 10001 without an assigned group, resulting in it being part of the root group, you can modify the Dockerfile to explicitly set both the user ID and group ID. Here is the suggested fix:

ARG USER_UID=10001
ARG USER_GID=10001

# Create a non-root user and group with specific IDs
RUN groupadd -g ${USER_GID} otelcol-contrib && \
    useradd -r -u ${USER_UID} -g otelcol-contrib otelcol-contrib

# Set the user and group to the non-root user
USER ${USER_UID}:${USER_GID}

# Copy the necessary files and set the entrypoint
COPY --chown=${USER_UID}:${USER_GID} . /etc/otelcol-contrib/
ENTRYPOINT ["/otelcol-contrib"]
CMD ["--config", "/etc/otelcol-contrib/otelcol-contrib.conf"]

In this Dockerfile:

• The groupadd command creates a new group otelcol-contrib with the group ID ${USER_GID}.
• The useradd command creates a new user otelcol-contrib with the user ID ${USER_UID} and assigns it to the otelcol-contrib group.
• The USER instruction sets the user and group for subsequent instructions and the container runtime.

This ensures that the OpenTelemetry Collector Contrib runs with the specified non-root user and group, mitigating security risks associated with running as root ^[1].

To continue talking to Dosu, mention @dosu.

[0x6f677548]

@dosu you're almost there. You can't run groupadd and useradd on that scratch image. But good work...

[dosubot]

To address the issue without using groupadd and useradd commands, you can create the user and group in a multi-stage build. Here's the updated Dockerfile:

# Use a base image with necessary tools to create the scratch image
FROM busybox as builder

# Create a non-root user and group with specific IDs
ARG USER_UID=10001
ARG USER_GID=10001
RUN addgroup -g ${USER_GID} -S otelcol-contrib && \
    adduser -S -u ${USER_UID} -G otelcol-contrib otelcol-contrib

# Copy the OpenTelemetry Collector Contrib binary
COPY --from=opentelemetry/opentelemetry-collector-contrib:latest /otelcol-contrib /usr/bin/otelcol-contrib

# Create necessary directories and set permissions
RUN mkdir -p /etc/otelcol-contrib && \
    chown -R otelcol-contrib:otelcol-contrib /etc/otelcol-contrib

# Use scratch as the base image
FROM scratch

# Copy the non-root user and group from the builder
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/group /etc/group

# Copy the OpenTelemetry Collector Contrib binary and configuration
COPY --from=builder /usr/bin/otelcol-contrib /usr/bin/otelcol-contrib
COPY --from=builder /etc/otelcol-contrib /etc/otelcol-contrib

# Set the user to the non-root user
USER ${USER_UID}:${USER_GID}

# Set the entrypoint to the OpenTelemetry Collector Contrib binary
ENTRYPOINT ["/usr/bin/otelcol-contrib"]
CMD ["--config", "/etc/otelcol-contrib/otelcol-contrib.conf"]

This Dockerfile ensures that the OpenTelemetry Collector Contrib runs as the non-root user otelcol-contrib with the specified UID and GID in a scratch-based Docker image.

To continue talking to Dosu, mention @dosu.

[jpkrohling]

ARG USER_UID=10001
ARG USER_GID=10001
USER ${USER_UID}:${USER_GID}

LGTM!

[0x6f677548]

Alternative steps to reproduce:

Dockerfile:

FROM otel/opentelemetry-collector:latest
COPY otel_collector.config.yaml /etc/otel_collector.config.yaml

run on docker host (in my case, wsl2 docker-desktop )

# ps -o user,group,pid,comm | grep "otelcol"
10001    root     12174 otelcol