Merge pull request #6529 from hashicorp/update_docker_user

Run Boundary containers as non-root user
2 months ago · 049186ea91
parent 5347d17c24 7e6d56051f
commit 049186ea91
2 changed files with 29 additions and 10 deletions
--- a/.release/docker/docker-entrypoint.sh
+++ b/.release/docker/docker-entrypoint.sh
@ -30,25 +30,38 @@ fi

 # If we are running Boundary, make sure it executes as the proper user.
 if [ "$1" = 'boundary' ]; then
+	is_root=0
+	if [ "$(id -u)" = '0' ]; then
+		is_root=1
+	fi
+
    if [ -z "$SKIP_CHOWN" ]; then
-        # If the config dir is bind mounted then chown it
-        if [ "$(stat -c %u /boundary)" != "$(id -u boundary)" ]; then
-            chown -R boundary:boundary /boundary || echo "Could not chown /boundary (may not have appropriate permissions)"
+        if [ "$is_root" = '1' ]; then
+            # If the config dir is bind mounted then chown it
+            if [ "$(stat -c %u /boundary)" != "$(id -u boundary)" ]; then
+                chown -R boundary:boundary /boundary || echo "Could not chown /boundary (may not have appropriate permissions)"
+            fi
+        else
+            >&2 echo "SKIP_CHOWN not set but running non-root; skipping chown /boundary"
        fi
    fi

    if [ -z "$SKIP_SETCAP" ]; then
-        # Allow mlock to avoid swapping Boundary memory to disk
-        setcap cap_ipc_lock=+ep $(readlink -f $(which boundary))
+        if [ "$is_root" = '1' ]; then
+            # Allow mlock to avoid swapping Boundary memory to disk
+            setcap cap_ipc_lock=+ep $(readlink -f $(which boundary))

-        # In the case Boundary has been started in a container without IPC_LOCK privileges
-        if ! boundary -version 1>/dev/null 2>/dev/null; then
-            >&2 echo "Couldn't start Boundary with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK"
-            setcap cap_ipc_lock=-ep $(readlink -f $(which boundary))
+            # In the case Boundary has been started in a container without IPC_LOCK privileges
+            if ! boundary -version 1>/dev/null 2>/dev/null; then
+                >&2 echo "Couldn't start Boundary with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK"
+                setcap cap_ipc_lock=-ep $(readlink -f $(which boundary))
+            fi
+        else
+            >&2 echo "SKIP_SETCAP not set but running non-root; skipping setcap"
        fi
    fi

-    if [ "$(id -u)" = '0' ]; then
+    if [ "$is_root" = '1' ]; then
      set -- su-exec boundary "$@"
    fi
 fi
--- a/6
+++ b/6
@ -22,6 +22,7 @@ RUN set -eux && \
    apk add --no-cache wget ca-certificates dumb-init gnupg libcap openssl su-exec iputils libc6-compat iptables

 ADD bin/boundary /bin/boundary
+RUN setcap cap_ipc_lock=+ep /bin/boundary

 RUN mkdir /boundary/
 ADD .release/docker/config.hcl /boundary/config.hcl
@ -36,6 +37,7 @@ LABEL org.opencontainers.image.licenses="BUSL-1.1"
 COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 COPY bin/LICENSE.txt /usr/share/doc/boundary/LICENSE.txt

+USER boundary
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server", "-config", "/boundary/config.hcl"]

@ -75,6 +77,7 @@ RUN set -eux && \
    grep boundary_${PRODUCT_VERSION}_linux_${boundaryArch}.zip boundary_${PRODUCT_VERSION}_SHA256SUMS | sha256sum -c && \
    unzip -d /bin boundary_${PRODUCT_VERSION}_linux_${boundaryArch}.zip && \
    rm boundary_${PRODUCT_VERSION}_linux_${boundaryArch}.zip boundary_${PRODUCT_VERSION}_SHA256SUMS boundary_${PRODUCT_VERSION}_SHA256SUMS.sig && \
+    setcap cap_ipc_lock=+ep /bin/boundary && \
    cp /bin/LICENSE.txt /usr/share/doc/boundary/LICENSE.txt && \
    mkdir /boundary

@ -88,6 +91,7 @@ VOLUME /boundary/

 COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh

+USER boundary
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server", "-config", "/boundary/config.hcl"]

@ -126,6 +130,7 @@ COPY .release/docker/config.hcl /boundary/config.hcl

 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/
 COPY dist/$TARGETOS/$TARGETARCH/LICENSE.txt /usr/share/doc/boundary/LICENSE.txt
+RUN setcap cap_ipc_lock=+ep /bin/$BIN_NAME

 RUN chown -R ${NAME}:${NAME} /boundary
 RUN chmod -R 640 /boundary/*
@ -135,5 +140,6 @@ VOLUME /boundary/

 COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh

+USER ${NAME}
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server", "-config", "/boundary/config.hcl"]