Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use non-privileged scratch for production Docker images #4211

Merged
merged 4 commits into from Mar 26, 2024
Merged

Use non-privileged scratch for production Docker images #4211

merged 4 commits into from Mar 26, 2024

Conversation

rumyantseva
Copy link
Member

@rumyantseva rumyantseva commented Mar 26, 2024
edited

Fun fact: surprisingly, I found the answer in the only book about Docker I own 😄

Description

In this change, in the Dockerfile state dir is created explicitly, and in the final stage, its ownership is assigned to the necessary user through --chown flag. This explicitly sets ownership, and even if a docker container would be run with an anonymous volume (e.g. through docker run without setting -v or --mount), the ferretdb user will have the necessary permission.

In case, volume is specified when starting the container, the specified volume will be used.
E.g. something like docker run -v ./state:/state my-ferretdb-image would work without having those mkdir and COPY.

Closes #3992.

Readiness checklist

  • I added/updated unit tests (and they pass).
  • I added/updated integration/compatibility tests (and they pass).
  • I added/updated comments and checked rendering.
  • I made spot refactorings.
  • I updated user documentation.
  • I ran task all, and it passed.
  • I ensured that PR title is good enough for the changelog.
  • (for maintainers only) I set Reviewers (@FerretDB/core), Milestone (Next), Labels, Project and project's Sprint fields.
  • I marked all done items in this checklist.

@rumyantseva rumyantseva added the not ready Issues that are not ready to be worked on; PRs that should skip CI label Mar 26, 2024
@rumyantseva rumyantseva self-assigned this Mar 26, 2024
@rumyantseva rumyantseva changed the title Use a non-privileged user to run FerretDB in a Docker container Use a non-privileged user to run FerretDB (production docker image) Mar 26, 2024
@rumyantseva rumyantseva added code/chore Code maintenance improvements and removed not ready Issues that are not ready to be worked on; PRs that should skip CI labels Mar 26, 2024
@rumyantseva rumyantseva added this to the Next milestone Mar 26, 2024
@codecov Codecov
Copy link

codecov bot commented Mar 26, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.66%. Comparing base (407fbb8) to head (a464e53).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #4211      +/-   ##
==========================================
- Coverage   75.14%   74.66%   -0.48%     
==========================================
  Files         339      339              
  Lines       22910    22910              
==========================================
- Hits        17215    17106     -109     
- Misses       4388     4483      +95     
- Partials     1307     1321      +14

see 23 files with indirect coverage changes

Flag Coverage Δ
filter-false ?
filter-true 68.16% <ø> (-0.73%) ⬇️
hana-1 13.91% <ø> (ø)
integration 68.16% <ø> (-0.80%) ⬇️
mongodb-1 5.13% <ø> (-0.01%) ⬇️
mysql-1 ?
mysql-2 ?
mysql-3 ?
postgresql-1 46.51% <ø> (-0.12%) ⬇️
postgresql-2 49.54% <ø> (-0.18%) ⬇️
postgresql-3 49.81% <ø> (-0.13%) ⬇️
sqlite-1 45.66% <ø> (-0.17%) ⬇️
sqlite-2 48.80% <ø> (-0.08%) ⬇️
sqlite-3 48.97% <ø> (-0.13%) ⬇️
unit 32.69% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

@AlekSi AlekSi added trust PRs that can access Actions secrets packages PRs that should build packages labels Mar 26, 2024
@rumyantseva rumyantseva marked this pull request as ready for review March 26, 2024 09:28
@rumyantseva rumyantseva enabled auto-merge (squash) March 26, 2024 09:28
AlekSi
AlekSi reviewed Mar 26, 2024
View reviewed changes
build/ferretdb/production.Dockerfile Outdated Show resolved Hide resolved
build/ferretdb/production.Dockerfile Outdated Show resolved Hide resolved
@rumyantseva rumyantseva requested a review from AlekSi March 26, 2024 09:58
@AlekSi AlekSi changed the title Use a non-privileged user to run FerretDB (production docker image) Use non-privileged scratch for production Docker images Mar 26, 2024
@rumyantseva rumyantseva merged commit 8b1adb0 into FerretDB:main Mar 26, 2024
26 of 28 checks passed
@rumyantseva rumyantseva deleted the non-priveleged-container branch March 26, 2024 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlekSi AlekSi AlekSi approved these changes

@henvic henvic henvic approved these changes

@chilagrow chilagrow Awaiting requested review from chilagrow chilagrow was automatically assigned from FerretDB/core

@noisersup noisersup Awaiting requested review from noisersup noisersup was automatically assigned from FerretDB/core

Assignees

@rumyantseva rumyantseva

Labels
code/chore Code maintenance improvements packages PRs that should build packages trust PRs that can access Actions secrets
Projects
Current Engineering
Archived in project
Milestone
v1.22.0
Development

Successfully merging this pull request may close these issues.

Use non-privileged scratch for production Docker images
3 participants
@rumyantseva @AlekSi @henvic