[WIP] non-root user for NodeJS template

[austinfrey]

Initial draft of non-root user in the NodeJS template.

Description

update the template/node/Dockerfile to use the node user rather than root. function directory structure needed to changed from /root/ to /usr/local/app/ as well

Motivation and Context

Allows users to run function as non-root which may increase security

This relates to #81

• I have raised an issue to propose this change (required)
  already raised by @alex Proposal: Alter templates to run as non-privileged user #81

How Has This Been Tested?

Manually built test function after changes, deployed and tested through the UI gateway

Linux 16+ on Docker CE 17.06

Will only impact the NodeJS template

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have signed-off my commits with git commit -s
• I have added tests to cover my changes.
• All new and existing tests passed.

[austinfrey]

Initial draft to get feedback before moving on to other templates. No need to merge yet.

[alexellis]

What about a regular home directory like /home/app/ ?

[austinfrey]

sounds good

[alexellis]

This should be: /home/app/ as per the comment, could you update? I'd like to move forward and merge your change. Thank you for helping lead this @aafrey

[alexellis]

Great start! Maybe the username could be app and we could use that across the board - like a copy/paste segment for all the templates?

[austinfrey]

that makes the most sense. I'll work on it this evening

[rgee0]

Just picking up on the user, and acknowledging that its largely academic, but why dont we use faas or openfaas? Setting this as a sort of principle might be helpful further down the road, when 3rd party templates start to emerge.

[alexellis]

I'd just keep it generic like app for now. Always good to think forward though so thanks for your input.

[alexellis]

@aafrey - really appreciate your work on this and the "serverless inc" template. 💯

When can we get this fixed-up and merged? @rgee0 @rorpage any other feedback?

[alexellis]

Changes needed.

[austinfrey]

I'll allocate some time tomorrow for this if no one else has any feedback @alex @rgee0 @rorpage

[ericstoekl]

When I try this change, I get the following error:

$ curl http://localhost:8080/function/nodejs-echo -d "stuff"
exit status 1
fs.js:641
  return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode);
                 ^

Error: EACCES: permission denied, open '/usr/local/app/index.js'
    at Error (native)
    at Object.fs.openSync (fs.js:641:18)
    at Object.fs.readFileSync (fs.js:509:33)
    at Object.Module._extensions..js (module.js:578:20)
    at Module.load (module.js:487:32)
    at tryModuleLoad (module.js:446:12)
    at Function.Module._load (module.js:438:3)
    at Module.runMain (module.js:604:10)
    at run (bootstrap_node.js:389:7)
    at startup (bootstrap_node.js:149:9)

I believe this can be fixed by the following line just before the USER node line:

RUN chown -R node .

[alexellis]

@ems5311 thank you for testing.

[austinfrey]

@ems5311 appreciate the feedback. I couldn't reproduce so I'm unsure what the issue is. I wouldn't think you'd need to chown since the node user is setup by default when building from that image. I made some changes as asked to use /home/app directory and the app user. I tested and it seems to be working for me, but it worked for me last time too, so would you mind testing again, and let me know if you see that error again? i thought docker was supposed to fix the "works on my machine" issue :)

[ericstoekl]

@aafrey Thanks for the feedback, strangely I am still seeing the issue. I have uploaded the image that faas-cli build -f <yaml> builds for me for the nodejs-echo function, based on this latest dockerfile. https://hub.docker.com/r/ems5311/nodejs-echo-noroot/

I believe if you run faas-cli deploy --image ems5311/nodejs-echo-noroot --name ems5311-node-noroot, it will pull and run the image from the docker hub repo.

I have also made sure that I am building the faas-cli binary with this latest pull request, and the faas-cli version hash matches the latest commit. I am running Ubuntu 16.04 and I might have some unconventional docker settings on my system.

Thanks again,
Eric

[austinfrey]

@ems5311 Hi Eric, the image you sent over doesn't work for me either, could you try building with the build.sh script in the template/node directory rather than the cli? just to test if there is a difference

[ericstoekl]

@aafrey good call, I'll try this out tonight.

[ericstoekl]

Yep, works now. Force rebuilding the image with --no-cache did the trick. Sorry for the false alarm, this changelist is good to go. 👏

[austinfrey]

@ems5311 appreciate the testing! thanks!

[austinfrey]

@alexellis anything else needed here?

[alexellis]

Yes I posted a comment about using /home/app as the folder for the app.

[austinfrey]

@alexellis the most recent commit made that change

[alexellis]

@austinfrey are we good to go with this?

[alexellis]

We can add the group at the top - meaning this gets cached and not affected by copying code in.

[austinfrey]

i can make this change @alexellis then we should be all set. should I make the change, squash and resubmit? or can i squash and commit with this same PR?

[alexellis]

Yes you can squash and re-push with the --force flag. I only raise a new PR if I screw things up really bad and have to push out of a different branch.

[alexellis]

Ping me for merging.

[ghost]

Thank you for your contribution. I've just checked and your commit doesn't appear to be signed-off.
That's something we need before your Pull Request can be merged. Please see our contributing guide.

[austinfrey]

@alexellis i had to merge the latest master with my branch to get up to date, i squashed everything down to one commit, but attributing all the previous changes i had to merge in as being part of this commit. is that normal?

[alexellis]

Struggling to see the changes here. This contains 32 files and now has some merge conflicts. Maybe it would be easier to submit a new PR?

[austinfrey]

Agreed, I'll resubmit this evening

[austinfrey]

@alexellis started fresh, hopefully that's the last of it :)

[alexellis]

Derek add label: status/testing

[alexellis]

Just wondering if "user app" can go higher?

[austinfrey]

sure. I'll update and test

[austinfrey]

@alexellis moved adduser to line two. tested and had no issues

[alexellis]

Merged. Please can you retro-fit to the armhf template? @rgee0 perhaps you could help test?

[alexellis]

faas-cli invoke notroot
Reading from STDIN - hit (Control + D) to stop.
test this
Server returned unexpected status code: 500 - exit status 1
fs.js:641
  return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode);
                 ^

Error: EACCES: permission denied, open '/home/app/index.js'
    at Error (native)
    at Object.fs.openSync (fs.js:641:18)
    at Object.fs.readFileSync (fs.js:509:33)
    at Object.Module._extensions..js (module.js:578:20)
    at Module.load (module.js:487:32)
    at tryModuleLoad (module.js:446:12)
    at Function.Module._load (module.js:438:3)
    at Module.runMain (module.js:604:10)
    at run (bootstrap_node.js:389:7)
    at startup (bootstrap_node.js:149:9)

@austinfrey this broke :-/

[austinfrey]

Interesting. I'll look at this tonight Looks like you already fixed