Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Docker build target for container that doesn't run as root #174

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add Docker build target for container that doesn't run as root #174

wants to merge 3 commits into from

Conversation

stonemelody
Copy link
Contributor

#163

Add a Dockerfile target no-root that will run chia blockchain binary as user/group chia:chia and does not have sudo installed. Final target in the Dockerfile allows building a container that runs as root and has sudo. People building the container can set the UID/GID that chia:chia will map to at build time. End users running the container must ensure that permissions work out properly for mounted directories in the chia:chia user/group if they are using the non-root container. This means either matching chia:chia's UID/GID with the host system user's UID/GID or modifying directory permissions on the host to allow read/writes by others (writes may be required for storing config files in a host-mounted directory)

New no-root version with UID/GID matching the current user can be built with docker build -t <tags> --build-arg UID=$(id -u) --build-arg GID=$(id -g) --build-arg BRANCH=<target version> --target no-root -f Dockerfile .

@stonemelody
Create non-root build target
44ed081 
Running `docker build --target no-root` will build a container image
without sudo and as the user/group `chia`. UID and GID can be adjusted
with the UID and GID build-arg parameters.

Gotchas:
  * if volumes are mounted in the container, they must have open read/write
    permissions if the host uid:gid for them is different than the
    container's or the must have the same uid:gid as the container
  * if the volumes are mounted but the intervening directories in the
    mount path inside the container do not exist, docker will create those
    directories as root:root by default, this will break permissions
@stonemelody
Make default plot dir available to non-root
c4db38f
@stonemelody
Minimize layers created by file copies
e6c3e4c
@stonemelody
Copy link
Contributor Author

the lint errors reported are not caused directly by this PR, but older code that may have existed before the linters were enabled

@github-actions
Copy link

'This PR has been flagged as stale due to no activity for over 60
days. It will not be automatically closed, but it has been given
a stale-pr label and should be manually reviewed.'

meebey
meebey reviewed Mar 3, 2024
View reviewed changes
Copy link

@meebey meebey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM to address the security issues of #163

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meebey meebey meebey left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
stale-pr
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@stonemelody @meebey