Skip to main content
Parked

Suggestion to Run Docker Extractor Images as Non-Root User

Related products:Extractors
  • August 2, 2024
  • 5 replies
  • 66 views
M
Committed
Forum|alt.badge.img+1

Hi,

I noticed that the current setup with the Dockerfile cognite/db-extractor-base runs the extractor as the root user within the container.

In our use case, we have to heavily modify the Dockerfile to change the setup so that it runs as a non-root user. It would be highly beneficial if the Docker image either accepted an argument to run as a non-root user or, preferably, ran the script as a non-root user by default. Running containers as the root user is not best practice for containerized development and is often restricted in organizational environments.

I'm not sure if there is an intentional reason for running as root, or if this aspect hasn't been considered yet at Cognite.

If you are open to changing this, I can assist and provide our current solution. I believe this adjustment would improve security and compatibility for multiple users.

Best regards,

Matias Ramsland,

matias.ramsland@akerbp.com

5 replies

Jørgen Lund
Seasoned Practitioner
Forum|alt.badge.img
  • Jørgen Lund
  • Product Manager
  • August 5, 2024

Hi @MatiasRamsland !

Thank you for suggesting this product idea. We will follow the traction this idea gets in the community. You can expect updates on this post if we decide to include this in our future roadmap, or if we require more information.

    Andre Alves
    MVP
    Forum|alt.badge.img+14

    I just want to agree with @MatiasRamsland that running Docker containers as root is indeed a very bad practice. Running containers as root can introduce significant security vulnerabilities that malicious individuals could exploit. When a container runs as root, it has elevated privileges that could be used to gain unauthorized access to the host system, potentially leading to data breaches, system compromise, and other security incidents. Therefore, it is crucial to run Docker containers with the least privileges necessary to minimize these risks.

    Matias, if possible, could you share your current solution with the Cognite community? This could serve as a useful interim measure until the CDF team releases their solution.

    André Alves
      M
      Committed
      Forum|alt.badge.img+1

      @Andre Alves 
      This configuration works in our case at least. Remember to modify the installation of your required odbc driver. One more thing to note is that you might need to setup volumes on your deployment for the respective state store and logs depending on how you have set-up your config. 

      # Base image
      FROM cognite/db-extractor-base:3.4.4

      # Install required system packages. Modify this to install your required odbc driver. 
      RUN apt-get install -y odbc-postgresql

      # Create a non-root user and their home directory
      RUN useradd -u 8877 nonrootuser-db-extractor \
      && mkdir -p /home/nonrootuser-db-extractor \
      && chown nonrootuser-db-extractor:nonrootuser-db-extractor /home/nonrootuser-db-extractor

      # Switch to the non-root user
      USER nonrootuser-db-extractor

      ENV PATH="/home/nonrootuser-db-extractor/.local/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      WORKDIR /home/nonrootuser-db-extractor

      RUN mkdir -p config state log
      RUN chmod 755 config state log

      #Copying the config file
      COPY config.yaml /home/nonrootuser-db-extractor/config/config_remote.yaml

      #Installing the db-extractor on the non-root user
      RUN set -ex && pip install --upgrade pip && pip install poetry pipx

      WORKDIR /db-extractor
      RUN pipx install .
      RUN chmod +x /home/nonrootuser-db-extractor/.local/share/pipx/venvs/db-extractor

      WORKDIR /db-extractor/db-extractor

      CMD ["/home/nonrootuser-db-extractor/config/config_remote.yaml"]

       

        Andre Alves
        MVP
        Forum|alt.badge.img+14

        @Andre Alves 
        This configuration works in our case at least. Remember to modify the installation of your required odbc driver. One more thing to note is that you might need to setup volumes on your deployment for the respective state store and logs depending on how you have set-up your config. 

        # Base image
        FROM cognite/db-extractor-base:3.4.4

        # Install required system packages. Modify this to install your required odbc driver. 
        RUN apt-get install -y odbc-postgresql

        # Create a non-root user and their home directory
        RUN useradd -u 8877 nonrootuser-db-extractor \
        && mkdir -p /home/nonrootuser-db-extractor \
        && chown nonrootuser-db-extractor:nonrootuser-db-extractor /home/nonrootuser-db-extractor

        # Switch to the non-root user
        USER nonrootuser-db-extractor

        ENV PATH="/home/nonrootuser-db-extractor/.local/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        WORKDIR /home/nonrootuser-db-extractor

        RUN mkdir -p config state log
        RUN chmod 755 config state log

        #Copying the config file
        COPY config.yaml /home/nonrootuser-db-extractor/config/config_remote.yaml

        #Installing the db-extractor on the non-root user
        RUN set -ex && pip install --upgrade pip && pip install poetry pipx

        WORKDIR /db-extractor
        RUN pipx install .
        RUN chmod +x /home/nonrootuser-db-extractor/.local/share/pipx/venvs/db-extractor

        WORKDIR /db-extractor/db-extractor

        CMD ["/home/nonrootuser-db-extractor/config/config_remote.yaml"]

         

        Thank you very much!

        André Alves
        T
        Seasoned Practitioner
        Forum|alt.badge.img

        We’re in the process of enhancing some of the extractors to support running as rootless containers. Timeline for release is being disucssed.

          Terms & ConditionsCookie SettingsAccessibility statement