Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Docker image use for non-root users #118

Closed
3 tasks done
maxrake opened this issue Sep 2, 2022 · 1 comment · Fixed by #122
Closed
3 tasks done

Allow Docker image use for non-root users #118

maxrake opened this issue Sep 2, 2022 · 1 comment · Fixed by #122
Assignees
@maxrake
Labels
enhancement New feature or request high priority This should be addressed immediately

Comments

@maxrake
Copy link
Contributor

maxrake commented Sep 2, 2022
edited

Overview

Is your feature request related to a problem? Please describe.
The phylum-ci Docker image is created with a user install of the phylum Python package. The user during image creation is root. This means containers running from that image can't be used to access the phylum-ci and phyum-init script entry points (binaries) by non-root users.

This is a problem for some CI environments. For instance, Azure Pipelines creates containers from a given image with a user named vsts_azpcontainer and an id of 1001, in a group named azure_pipelines_sudo. Tasks/scripts/commands run from that container are done so with this user, which doesn't have access to the /root/.local/bin directory where the phylum Python package script entry points are located.

Describe the solution you'd like
Allow the script entry points provided by the phylum Python package and exposed in the phylum-ci Docker image to be available for use by any user of a running container based on that image.

Describe alternatives you've considered
It could also be possible to create a separate Docker image for this use case and keep the current one intact.

Additional context

Proof that the phylum-ci binary can not be accessed by non-root users:

image

Azure Pipelines log when creating a container from the phylumio/phylum-ci image:

image

Acceptance criteria

  • phylum-ci and phylum-init script entry points (binaries) can be used by non-root users of containers based on the phylum-ci Docker image
  • phylum-ci and phylum-init script entry points (binaries) can be used by the root user of containers based on the phylum-ci Docker image
  • Testing for existing integrations shows no regressions
@maxrake maxrake added enhancement New feature or request high priority This should be addressed immediately labels Sep 2, 2022
@maxrake maxrake self-assigned this Sep 2, 2022
@kylewillmon kylewillmon mentioned this issue Sep 6, 2022
Closed
@maxrake
Copy link
Contributor Author

maxrake commented Sep 6, 2022

FYI...something similar was done in the Python black project: psf/black#3202

maxrake added a commit that referenced this issue Sep 13, 2022
@maxrake
feat: allow docker image use for non-root users
8147881 
The Dockerfile has been updated to install the `phylum` package in a
Python virtual environment, which is accessible by non-root users of the
image. The `phylum-init` script was updated to provide a hidden option
for installing the CLI in a globally accessible directory. That option
is meant to be used in very limited circumstances, namely the Dockerfile
for image creation.

Closes #118
@maxrake maxrake mentioned this issue Sep 13, 2022
Merged
4 tasks
maxrake added a commit that referenced this issue Sep 14, 2022
@maxrake
feat: allow docker image use for non-root users
3e87aa9 
The Dockerfile has been updated to install the `phylum` package in a
Python virtual environment, which is accessible by non-root users of the
image. The `phylum-init` script was updated to provide a hidden option
for installing the CLI in a globally accessible directory. That option
is meant to be used in very limited circumstances, namely the Dockerfile
for image creation.

Closes #118
@maxrake maxrake mentioned this issue Jun 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maxrake maxrake

Labels
enhancement New feature or request high priority This should be addressed immediately
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat!: allow docker image use for non-root users phylum-dev/phylum-ci
1 participant
@maxrake