Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker: Remove usage of gosu and replace with su #5951

Merged
merged 1 commit into from
Mar 21, 2024
Merged

Docker: Remove usage of gosu and replace with su #5951

merged 1 commit into from
Mar 21, 2024

Conversation

hsoerensen
Copy link
Contributor

@hsoerensen hsoerensen commented Mar 12, 2024
edited
Loading

Summary

Replace usage of upstream gosu command in Docker containers.

su is available in the environment, and using su should reduce security exposure vs using upstream (Ubuntu) managed gosu dependency.

At the time of writing security scanning tools such as grype/Snyk/Docker Scout are all finding issues in the gosu linked stdlib (from go1.19.8), which this will remediate.

Test Plan

Changed were tested by:

  • Search across repo for gosu to identify usages
  • Executed the following steps:
    • Executing into a docker container by using docker run -it algorand/algod:latest bash
    • Update /node/run/run.sh to use su command
    • Execute /node/run/run.sh

Permutations tested:

  • Executing using a relative path
  • File ownership in files copied to ALGORAND_DATA has been inspected (algorand:algorand owner expected)
  • Environment variables passed correctly to restarted process. If variables are not passed correctly the initial check for ALGORAND_DATA will cause script to abort

Notes:

  • Local build were not tested as unit tests fails on my M2 Mac, when using the make script.
  • Build of /Dockerfile was not done as I'm uncertain about build target to use for creating the necessary files req. in the copy step. To workaround this issue current Docker image was pulled from Docker Hub, and where run.sh changes subsequently were injected.

@hsoerensen
Copy link
Contributor Author

hsoerensen commented Mar 12, 2024
edited
Loading

I'm noticing that there's a build failure, however also unable to drill in on build failures due to what appears may be a permission related issue. All workflow steps in the attached screenshot are not clickable for me.

image

@onetechnical onetechnical changed the title Remove usage of gosu and replace with su Docker: Remove usage of gosu and replace with su Mar 13, 2024
@onetechnical onetechnical reopened this Mar 13, 2024
@onetechnical onetechnical reopened this Mar 13, 2024
@codecov Codecov
Copy link

codecov bot commented Mar 13, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 55.72%. Comparing base (13e66ff) to head (b5d956d).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5951      +/-   ##
==========================================
+ Coverage   55.71%   55.72%   +0.01%     
==========================================
  Files         489      489              
  Lines       68111    68111              
==========================================
+ Hits        37950    37958       +8     
+ Misses      27586    27583       -3     
+ Partials     2575     2570       -5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

onetechnical
onetechnical approved these changes Mar 13, 2024
View reviewed changes
Copy link
Contributor

@onetechnical onetechnical left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for submitting this! Changes look reasonable.

@algorandskiy algorandskiy merged commit 4a96168 into algorand:master Mar 21, 2024
33 of 36 checks passed
This was referenced May 10, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@algorandskiy algorandskiy algorandskiy approved these changes

@onetechnical onetechnical onetechnical approved these changes

Assignees
No one assigned
Labels
Enhancement external contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hsoerensen @onetechnical @algorandskiy @ohill