devopsfaith/krakend as base runs commands as root
stevenh opened this issue · 7 comments
Environment info:
- KrakenD version: v2.7.0
- System info: docker version 27.1.1
Describe the bug
The official official docker image devopsfaith/krakend as listed in repo readme is actually not built using make docker target from this repo.
The impact of this is that if used as a base RUN commands are run as root not the krakend user as expected from the Dockerfile.
It also exposes a different port 8080 instead of 8000.
I'm no sure about that dockerfile listed at the docker hub, but you can check that in fact the binary in the docker image is running using the krakend user by following these steps:
- start a krakend container
- in another console, just execute
docker exec -it <name_of_the_container> ps
You'll get something like this:
PID USER TIME COMMAND
1 krakend 0:01 krakend run -dc krakend.json
36 root 0:00 ps
Sorry, when I said "runs krakend" I actually meant runs commands, so if you use it as a base RUN lines run as root and not krakend e.g.
Example Dockerfile:
ARG KRAKEND_IMAGE=devopsfaith/krakend:2.7.0
FROM ${KRAKEND_IMAGE}
RUN id
Docker build:
BUILDKIT_PROGRESS=plain docker build --no-cache -f ../../Dockerfile.krakend .
#0 building with "default" instance using docker driver
#1 [internal] load build definition from Dockerfile.krakend
#1 transferring dockerfile: 84B done
#1 DONE 0.0s
#2 [internal] load metadata for docker.io/devopsfaith/krakend:2.7.0
#2 DONE 0.0s
#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s
#4 [1/2] FROM docker.io/devopsfaith/krakend:2.7.0
#4 CACHED
#5 [2/2] RUN id
#5 0.186 uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
#5 DONE 0.2s
#6 exporting to image
#6 exporting layers 0.0s done
#6 writing image sha256:e231f5918af4b87fb4d3a8fecfdd0934f5f02e409cd8c290ea0b6b3b9aadfe30 done
#6 DONE 0.0s
If I do the same with an image built from make krakend I get:
BUILDKIT_PROGRESS=plain docker build --no-cache --build-arg KRAKEND_IMAGE=stevenhartland/krakend:2.7.0 -f ../../Dockerfile.krakend .
#0 building with "default" instance using docker driver
snip...
#6 [2/2] RUN id
#6 0.275 uid=1000(krakend) gid=65533(nogroup) groups=65533(nogroup)
#6 DONE 0.3s
#7 exporting to image
#7 exporting layers done
#7 writing image sha256:60ac4c22ac548309f825aa56fe7b27e75e4b92e31e42166f31e2898148070c59 done
#7 DONE 0.0s
As you can see the former reports uid=0(root) gid=0(root) where as the latter reports uid=1000(krakend) gid=65533(nogroup) groups=65533(nogroup)
Overall consumers of krakend-ce don't seem to be able replicate the build as published to devopsfaith/krakend using the Makefile commands as they would expect.
Hi, this Dockerfile is old and still in the repo for people who just want to build the code and not to download a precompiled binary from the github releases page.
This Dockerfile is provided as simple as possible and everything runs as the krakend user.
The official docker image uses this repo to build reproducible containers following the official Docker guidelines, using an entrypoint script that runs all the krakend commands as krakend and all the others as root.
Thanks for reply @taik0 that clarifies what I'm seeing, appreciated!
Would you accept a PR to document that to avoid confusion for others?
Of course! That would be perfect.