Final non-root changes to Python, Ruby and C# templates

[ericstoekl]

Dockerfile for python, ruby, and C# template should not use ROOT

Signed-off-by: Eric Stoekl ems5311@gmail.com

Description

Like #83, this change is to have template Dockerfiles establish the function in an environment not running as root.

Motivation and Context

• I have raised an issue to propose this change (required)
  Proposal: Alter templates to run as non-privileged user #81

How Has This Been Tested?

ad-hoc

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have signed-off my commits with git commit -s
• I have added tests to cover my changes.
• All new and existing tests passed.

[alexellis]

This looks great @ems5311 - you are blazing a trail through these issues!

[alexellis]

Can we remove the comments here?

[ericstoekl]

no prob -- will be done this evening

[alexellis]

Derek add label: status/testing

[alexellis]

We should move the adduser/useradd up top.. @ericstoekl can you work on this or recruit some help from the community?

[ericstoekl]

Yeah, I can get some stuff done on this later tonight.

[alexellis]

The change for Node.js is already merged and released 👍

[Lewiscowles1986]

all working xenial x64

[Lewiscowles1986]

Btw is there a reason they should not use root?

At work I pass in UID and GID, that seems to stop effects of containers writing files as root or a user that doesn't exist. It's done once at container initial start

[ericstoekl]

@alexellis Just updated to move adduser to the top of the Dockerfiles. Also added python3. Is it ok to address the armhf and arm64 languages in a future pr?

@Lewiscowles1986, Thanks for testing! This change was proposed after Nic gave a presentation about the potential vulnerabilities of running the docker images as root.

[nicholasjackson]

Is this line required?

[ericstoekl]

Probably not, I think we can safely remove. Thanks Nic!

[nicholasjackson]

@ericstoekl @alexellis I have tested a python 2 function, including pip to install a package and it seems all ok. There is one line in the docker file: WORKDIR /root/. Which does not seem required any more?

https://github.com/openfaas/faas-cli/pull/91/files#diff-2c26f08f6712431fc39c186c9bf2117cL10

Temp file is also written

[nicholasjackson]

@ericstoekl @alexellis I have also tested python 3, including pip to install a package and all seems ok.

Temp file is also written:

[open-derek]

Thank you for your contribution. I've just checked and your commit doesn't appear to be signed-off.
That's something we need before your Pull Request can be merged. Please see our contributing guide.

[ericstoekl]

So I've put together a script that lets anyone easily test this change. If you have faas-cli installed and faas deployed on docker swarm, you can run the following command to test this change. If you have it deployed with kubernetes, you will need to edit the script to include the --gateway flag pointing at your gateway with each faas-cli command.

curl -sSL https://gist.githubusercontent.com/ericstoekl/3d30624f9b7b78adcb1c2ca69d17c895/raw/cfe441221483213d1249c3f70c09b5db7a00bf6f/nonRootTemplateTest.bash | bash

It will download the templates from this PR and build a function in node, python, ruby, and csharp, then call each function.

[Lewiscowles1986]

Tested, works.

C Sharp function reachable
Node function reachable
Ruby function reachable
Python function reachable
Python 3 function reachable

[alexellis]

This script is good for a cursory check but we have to ensure there is no breakage for getting/installing/accessing 3rd-party dependencies too. I also found some issues with the .lock file not being written properly to /tmp/. You can check on docker ps to see if the function is healthy (has a lock)

[ericstoekl]

To test lock file status, I created functions from the node, python, ruby, and csharp templates using the script posted above, and checked each deployed function with docker service logs:

$ docker service logs p1
p1.1.t8fxqzolchik@s-GA-78LMT-USB3-6-0    | 2017/11/06 16:45:58 Writing lock-file to: /tmp/.lock
$ docker service logs r1
r1.1.s7vatldn0qvu@s-GA-78LMT-USB3-6-0    | 2017/11/06 16:45:58 Writing lock-file to: /tmp/.lock
$ docker service logs c1
c1.1.xweirwsmxjwe@s-GA-78LMT-USB3-6-0    | 2017/11/06 16:46:00 Writing lock-file to: /tmp/.lock
$ docker service logs n1
n1.1.yunekpnk4r0a@s-GA-78LMT-USB3-6-0    | 2017/11/06 16:45:53 Writing lock-file to: /tmp/.lock

[alexellis]

Templates need to add a group too so they follow the pattern of the Node example.

RUN addgroup -S app && adduser -S -g app app

Then chown to app:app

Please also chmod /tmp to 777 for all templates to get around buildkit/containerd issue.

[alexellis]

This version is now 0.6.9 please update.

[alexellis]

What's going on with the ordering here? Does it optimize the build?

[ericstoekl]

This is the same ordering used in the node template, which I am basing these templates off of.

Edit -- actually looks like this line is unnecessary. Removing.

[alexellis]

Really close, few minor changes needed.

[alexellis]

Derek add label: risk/high

[alexellis]

Review given. This is a high risk item so we can't afford for mistakes. Thank you for taking care with this.

[johnmccabe]

@ericstoekl can you update/respond to @alexellis' comments and we can get this closed out.

[ericstoekl]

@alexellis Updated to address comments from the review. Sorry for the delay, this one got lost in the shuffle somehow 😕

To test this out to verify it works, run the following:

curl -sSL https://gist.githubusercontent.com/ericstoekl/3d30624f9b7b78adcb1c2ca69d17c895/raw/de78492095c15c81682c4d3a05c5088880267f25/nonRootTemplateTest.bash | bash

When it's done running you should see this kind of output:

Lock file for nodefunction1: error is 0
app
Lock file for csharpfunction1: error is 0
app
Lock file for rubyfunction1: error is 0
app
Lock file for pythonfunction1: error is 0
app
Lock file for python3function1: error is 0

This shows that for each function template, the user is app and no error was encountered when accessing the /tmp/.lock file.

[ericstoekl]

Thanks to @austinfrey we found some issues in the current status of this PR -- the csharp function fails to build due to the adduser command not being correct. I'm working to resolve this.

Edit -- updated the PR with a squashed commit, addgroup and useradd now work on the csharp version.

Set up a new deployment (deploy_stack.sh in faas repo). Get the latest faas-cli version. Then test it out with this command: curl -sSL https://gist.githubusercontent.com/ericstoekl/3d30624f9b7b78adcb1c2ca69d17c895/raw/5995f8c1ad2b3cebd6e855770b75d08925d389ee/nonRootTemplateTest.bash | bash

[austinfrey]

lgtm

[alexellis]

Please can we raise against this site too? https://github.com/openfaas/templates

Templates are graduating up.

[alexellis]

@ericstoekl templates are graduating to the new repo so I'm closing this PR. Please raise it against the new repo.