container user 10001 is part of root group? #35179

0x6f677548 · 2024-09-13T18:27:52Z

Component(s)

cmd/otelcontribcol

Describe the issue you're reporting

It seems to me that the container is running with a user 10001 part of the 0 (root) group.

I suggest something like:

ARG USER_UID=10001
ARG USER_GID=10001
USER ${USER_UID}:${USER_GID}

Am I missing something?

The text was updated successfully, but these errors were encountered:

rogercoll · 2024-09-16T15:49:15Z

Nice catch! Do you know how we could verify the GID of the user from that image? (Being based on scratch makes debugging hard)

But based on dockerfile documentation:

When the user doesn't have a primary group then the image (or the next instructions) will be run with the root group.

And if we want to follow security best-practices:

Consider an explicit UID/GID.
Users and groups in an image are assigned a non-deterministic UID/GID in that the "next" UID/GID is assigned regardless of image rebuilds. So, if it’s critical, you should assign an explicit UID/GID.

We should also bring your suggestion to the repository used to publicly release the images https://github.com/open-telemetry/opentelemetry-collector-releases

0x6f677548 · 2024-09-16T17:10:25Z

Yes, it is running as group 0. Just confirmed by running id inside the container shell:

~ $ id
uid=10001 gid=0 groups=0

One could use an alpine image to debug it, but if you want to confirm it on a scratch, here's my suggestion:

FROM alpine:latest AS builder

# Install a statically linked shell and the necessary binaries
RUN apk add --no-cache busybox-static
RUN apk add --no-cache coreutils acl attr

FROM otel/opentelemetry-collector-contrib:latest AS prep

FROM scratch

# Copy the shell executable from the builder stage
COPY --from=builder /bin/busybox.static /bin/sh
# Copy id binary from the builder stage
COPY --from=builder /usr/bin/id /bin/id

# Copy required shared libraries
COPY --from=builder /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
COPY --from=builder /lib/libc.musl-x86_64.so.1 /lib/libc.musl-x86_64.so.1
COPY --from=builder /lib/libcrypto.so.3 /lib/
COPY --from=builder /lib/libacl.so.1 /lib/
COPY --from=builder /lib/libattr.so.1 /lib/
COPY --from=builder /lib/libutmps.so.0.1 /lib/
COPY --from=builder /lib/libskarnet.so.2.14 /lib/
COPY --from=builder /lib/libutmps.so.0.1 /lib/

COPY --from=prep /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=prep otelcol-contrib /otelcol-contrib

ARG USER_UID=10001
USER ${USER_UID}



# copy the config file to the /etc folder
COPY otel_collector.config.yaml /etc/otel_collector.config.yaml

EXPOSE 4317 55680 55679
ENTRYPOINT ["/otelcol-contrib"]
CMD ["--config", "/etc/otel_collector.config.yaml"]

Let me know if I can help somehow.

0x6f677548 · 2024-09-16T17:17:01Z

We should also bring your suggestion to the repository used to publicly release the images https://github.com/open-telemetry/opentelemetry-collector-releases

missed this comment. Sure - I'll create the issue over there also. thanks

0x6f677548 · 2024-09-17T11:46:56Z

Alternative steps to reproduce:
open-telemetry/opentelemetry-collector-releases#662 (comment)

ChrsMark · 2024-09-18T09:44:26Z

@open-telemetry/collector-contrib-maintainers this looks like a valid suggestion and should be changed along with open-telemetry/opentelemetry-collector-releases#662.

rogercoll · 2024-11-04T17:51:30Z

Fixing it in #36170

#### Description Sets a specific GID for the build container's image.  #### Link to tracking issue #35179  #### Testing (Manual) ``` $ make docker-otelcontribcol // create a sample config.yaml file $ docker run -v .:/etc/otel/ otelcontribcol $ ps -o user,group,pid,comm -ax | rg otelcontribcol 10001 10001 1903287 otelcontribcol ``` Without the changes: ``` $ ps -o user,group,pid,comm -ax | rg otelcontribcol root root 1940536 otelcontribcol ```  #### Documentation

#### Description Sets a specific GID for the build container's image.  #### Link to tracking issue open-telemetry#35179  #### Testing (Manual) ``` $ make docker-otelcontribcol // create a sample config.yaml file $ docker run -v .:/etc/otel/ otelcontribcol $ ps -o user,group,pid,comm -ax | rg otelcontribcol 10001 10001 1903287 otelcontribcol ``` Without the changes: ``` $ ps -o user,group,pid,comm -ax | rg otelcontribcol root root 1940536 otelcontribcol ```  #### Documentation

0x6f677548 added the needs triage New item requiring triage label Sep 13, 2024

0x6f677548 mentioned this issue Sep 16, 2024

container user 10001 is group root. open-telemetry/opentelemetry-collector-releases#662

Open

github-actions bot mentioned this issue Sep 17, 2024

Weekly Report: 2024-09-10 - 2024-09-17 #35228

Closed

ChrsMark removed the needs triage New item requiring triage label Sep 18, 2024

rogercoll mentioned this issue Nov 4, 2024

fix root group container permissions #36170

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

container user 10001 is part of root group? #35179

container user 10001 is part of root group? #35179

0x6f677548 commented Sep 13, 2024

rogercoll commented Sep 16, 2024

0x6f677548 commented Sep 16, 2024 •

edited

Loading

0x6f677548 commented Sep 16, 2024

0x6f677548 commented Sep 17, 2024

ChrsMark commented Sep 18, 2024

rogercoll commented Nov 4, 2024

container user 10001 is part of root group? #35179

container user 10001 is part of root group? #35179

Comments

0x6f677548 commented Sep 13, 2024

Component(s)

Describe the issue you're reporting

rogercoll commented Sep 16, 2024

0x6f677548 commented Sep 16, 2024 • edited Loading

0x6f677548 commented Sep 16, 2024

0x6f677548 commented Sep 17, 2024

ChrsMark commented Sep 18, 2024

rogercoll commented Nov 4, 2024

0x6f677548 commented Sep 16, 2024 •

edited

Loading