New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use non-privileged scratch
for production Docker images
#4211
Merged
rumyantseva
merged 4 commits into
FerretDB:main
from
rumyantseva:non-priveleged-container
Mar 26, 2024
Merged
Use non-privileged scratch
for production Docker images
#4211
rumyantseva
merged 4 commits into
FerretDB:main
from
rumyantseva:non-priveleged-container
Mar 26, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rumyantseva
added
the
not ready
Issues that are not ready to be worked on; PRs that should skip CI
label
Mar 26, 2024
rumyantseva
changed the title
Use a non-privileged user to run FerretDB in a Docker container
Use a non-privileged user to run FerretDB (production docker image)
Mar 26, 2024
rumyantseva
added
code/chore
Code maintenance improvements
and removed
not ready
Issues that are not ready to be worked on; PRs that should skip CI
labels
Mar 26, 2024
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4211 +/- ##
==========================================
- Coverage 75.14% 74.66% -0.48%
==========================================
Files 339 339
Lines 22910 22910
==========================================
- Hits 17215 17106 -109
- Misses 4388 4483 +95
- Partials 1307 1321 +14 see 23 files with indirect coverage changes
Flags with carried forward coverage won't be shown. Click here to find out more. |
rumyantseva
commented
Mar 26, 2024
AlekSi
added
trust
PRs that can access Actions secrets
packages
PRs that should build packages
labels
Mar 26, 2024
rumyantseva
requested review from
a team,
henvic,
chilagrow,
noisersup and
AlekSi
March 26, 2024 09:28
AlekSi
reviewed
Mar 26, 2024
AlekSi
changed the title
Use a non-privileged user to run FerretDB (production docker image)
Use non-privileged Mar 26, 2024
scratch
for production Docker images
AlekSi
reviewed
Mar 26, 2024
AlekSi
approved these changes
Mar 26, 2024
henvic
approved these changes
Mar 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
code/chore
Code maintenance improvements
packages
PRs that should build packages
trust
PRs that can access Actions secrets
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fun fact: surprisingly, I found the answer in the only book about Docker I own 😄
Description
In this change, in the Dockerfile
state
dir is created explicitly, and in the final stage, its ownership is assigned to the necessary user through--chown
flag. This explicitly sets ownership, and even if a docker container would be run with an anonymous volume (e.g. throughdocker run
without setting-v
or--mount
), theferretdb
user will have the necessary permission.In case, volume is specified when starting the container, the specified volume will be used.
E.g. something like
docker run -v ./state:/state my-ferretdb-image
would work without having thosemkdir
andCOPY
.Closes #3992.
Readiness checklist
task all
, and it passed.@FerretDB/core
), Milestone (Next
), Labels, Project and project's Sprint fields.