From ea387168418cfd5639f9808a39c618f093746fbd Mon Sep 17 00:00:00 2001 From: Sam Ruby Date: Tue, 31 Oct 2023 10:23:33 -0400 Subject: [PATCH] Match Rails 7.1 templates: placate k8s runAsNonRoot https://github.com/rails/rails/commit/7ff33d8b3c6d2c5187ac2a59067fce8eea7ceba3 --- lib/generators/templates/Dockerfile.erb | 13 ++++++++----- test/results/bin_cd/Dockerfile | 7 ++++--- test/results/cache/Dockerfile | 7 ++++--- test/results/ci/Dockerfile | 7 ++++--- test/results/config/Dockerfile | 7 ++++--- test/results/env/Dockerfile | 7 ++++--- test/results/execjs_importmap/Dockerfile | 7 ++++--- test/results/execjs_node/Dockerfile | 7 ++++--- test/results/fullstaq/Dockerfile | 7 ++++--- test/results/grover/Dockerfile | 7 ++++--- test/results/idle/Dockerfile | 5 +++-- test/results/jemalloc/Dockerfile | 7 ++++--- test/results/label/Dockerfile | 7 ++++--- test/results/litefs/Dockerfile | 5 +++-- test/results/litestack/Dockerfile | 7 ++++--- test/results/minimal/Dockerfile | 7 ++++--- test/results/nginx/Dockerfile | 9 +++++---- test/results/no_prep/Dockerfile | 7 ++++--- test/results/parallel/Dockerfile | 7 ++++--- test/results/precompile_defer/Dockerfile | 7 ++++--- test/results/rmagick/Dockerfile | 7 ++++--- test/results/swap/Dockerfile | 5 +++-- test/results/vite/Dockerfile | 7 ++++--- test/results/windows/Dockerfile | 7 ++++--- test/results/yjit/Dockerfile | 7 ++++--- 25 files changed, 102 insertions(+), 75 deletions(-) diff --git a/lib/generators/templates/Dockerfile.erb b/lib/generators/templates/Dockerfile.erb index 1a48fac..d5df93c 100644 --- a/lib/generators/templates/Dockerfile.erb +++ b/lib/generators/templates/Dockerfile.erb @@ -222,27 +222,30 @@ RUN mkdir /data <% else -%> # Run and own only the runtime files as a non-root user for security <% if options.compose? -%> +<% user = "rails:rails" -%> ARG UID=1000 \ GID=1000 RUN groupadd -f -g $GID rails && \ useradd -u $UID -g $GID rails --create-home --shell /bin/bash && \ <% else -%> -RUN useradd rails --create-home --shell /bin/bash && \ +<% user = "1000:1000" -%> +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ <% end -%> <% if options.nginx? -%> - chown rails:rails /var/lib/nginx /var/log/nginx/* && \ + chown <%= user %> /var/lib/nginx /var/log/nginx/* && \ <% end -%> <% if deploy_packages.include?("sudo") && options.sudo? -%> sed -i 's/env_reset/env_keep="*"/' /etc/sudoers && \ <% end -%> <% if deploy_database == 'sqlite3' -%> mkdir /data<% if using_litefs? %> /litefs<% end %> && \ - chown -R rails:rails <%= Dir[*%w(db log storage tmp)].join(" ") %> /data<% if using_litefs? %> /litefs<% end %> + chown -R <%= user %> <%= Dir[*%w(db log storage tmp)].join(" ") %> /data<% if using_litefs? %> /litefs<% end %> <% else -%> - chown -R rails:rails <%= Dir[*%w(db log storage tmp)].join(" ") %> + chown -R <%= user %> <%= Dir[*%w(db log storage tmp)].join(" ") %> <% end -%> <% unless options.swap? or using_passenger? or using_litefs? -%> -USER rails:rails +USER <%= user %> <% end -%> <% end -%> diff --git a/test/results/bin_cd/Dockerfile b/test/results/bin_cd/Dockerfile index 862f6dc..15d1fe7 100644 --- a/test/results/bin_cd/Dockerfile +++ b/test/results/bin_cd/Dockerfile @@ -52,10 +52,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/cache/Dockerfile b/test/results/cache/Dockerfile index 4c06428..6003b87 100644 --- a/test/results/cache/Dockerfile +++ b/test/results/cache/Dockerfile @@ -76,10 +76,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/ci/Dockerfile b/test/results/ci/Dockerfile index bb8e72c..61546dc 100644 --- a/test/results/ci/Dockerfile +++ b/test/results/ci/Dockerfile @@ -49,10 +49,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/config/Dockerfile b/test/results/config/Dockerfile index 5845725..8fda8c2 100644 --- a/test/results/config/Dockerfile +++ b/test/results/config/Dockerfile @@ -49,10 +49,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" \ diff --git a/test/results/env/Dockerfile b/test/results/env/Dockerfile index 3426144..6053a5f 100644 --- a/test/results/env/Dockerfile +++ b/test/results/env/Dockerfile @@ -53,10 +53,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/execjs_importmap/Dockerfile b/test/results/execjs_importmap/Dockerfile index cfdfa18..38bd1ea 100644 --- a/test/results/execjs_importmap/Dockerfile +++ b/test/results/execjs_importmap/Dockerfile @@ -68,10 +68,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/execjs_node/Dockerfile b/test/results/execjs_node/Dockerfile index 59fff1c..791116c 100644 --- a/test/results/execjs_node/Dockerfile +++ b/test/results/execjs_node/Dockerfile @@ -76,10 +76,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/fullstaq/Dockerfile b/test/results/fullstaq/Dockerfile index b4cc007..a1e56db 100644 --- a/test/results/fullstaq/Dockerfile +++ b/test/results/fullstaq/Dockerfile @@ -49,10 +49,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/grover/Dockerfile b/test/results/grover/Dockerfile index 79f6845..51737fa 100644 --- a/test/results/grover/Dockerfile +++ b/test/results/grover/Dockerfile @@ -69,10 +69,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" \ diff --git a/test/results/idle/Dockerfile b/test/results/idle/Dockerfile index 33a2efd..f37d94a 100644 --- a/test/results/idle/Dockerfile +++ b/test/results/idle/Dockerfile @@ -89,9 +89,10 @@ COPY --from=build /rails /rails COPY --from=build /root/.passenger/native_support /root/.passenger/native_support # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data + chown -R 1000:1000 db log storage tmp /data # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/jemalloc/Dockerfile b/test/results/jemalloc/Dockerfile index d286b08..465b47c 100644 --- a/test/results/jemalloc/Dockerfile +++ b/test/results/jemalloc/Dockerfile @@ -49,10 +49,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" \ diff --git a/test/results/label/Dockerfile b/test/results/label/Dockerfile index 95dcd47..097ee2f 100644 --- a/test/results/label/Dockerfile +++ b/test/results/label/Dockerfile @@ -51,10 +51,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/litefs/Dockerfile b/test/results/litefs/Dockerfile index f140f54..f6d529d 100644 --- a/test/results/litefs/Dockerfile +++ b/test/results/litefs/Dockerfile @@ -57,9 +57,10 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data /litefs && \ - chown -R rails:rails db log storage tmp /data /litefs + chown -R 1000:1000 db log storage tmp /data /litefs # Authorize rails user to launch litefs COPY <<-"EOF" /etc/sudoers.d/rails diff --git a/test/results/litestack/Dockerfile b/test/results/litestack/Dockerfile index 7e012fb..270b4d8 100644 --- a/test/results/litestack/Dockerfile +++ b/test/results/litestack/Dockerfile @@ -54,10 +54,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/minimal/Dockerfile b/test/results/minimal/Dockerfile index 8b72e9f..8db8b15 100644 --- a/test/results/minimal/Dockerfile +++ b/test/results/minimal/Dockerfile @@ -49,10 +49,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/nginx/Dockerfile b/test/results/nginx/Dockerfile index 29f8003..32dd5d8 100644 --- a/test/results/nginx/Dockerfile +++ b/test/results/nginx/Dockerfile @@ -82,11 +82,12 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ - chown rails:rails /var/lib/nginx /var/log/nginx/* && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ + chown 1000:1000 /var/lib/nginx /var/log/nginx/* && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" \ diff --git a/test/results/no_prep/Dockerfile b/test/results/no_prep/Dockerfile index 01286e4..1764faf 100644 --- a/test/results/no_prep/Dockerfile +++ b/test/results/no_prep/Dockerfile @@ -49,10 +49,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/parallel/Dockerfile b/test/results/parallel/Dockerfile index 02492b2..67a3733 100644 --- a/test/results/parallel/Dockerfile +++ b/test/results/parallel/Dockerfile @@ -77,10 +77,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/precompile_defer/Dockerfile b/test/results/precompile_defer/Dockerfile index 78f6a9a..50d65da 100644 --- a/test/results/precompile_defer/Dockerfile +++ b/test/results/precompile_defer/Dockerfile @@ -37,10 +37,11 @@ RUN apt-get update -qq && \ rm -rf /var/lib/apt/lists /var/cache/apt/archives # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/rmagick/Dockerfile b/test/results/rmagick/Dockerfile index 0f2bc37..f7dc0f8 100644 --- a/test/results/rmagick/Dockerfile +++ b/test/results/rmagick/Dockerfile @@ -49,10 +49,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/swap/Dockerfile b/test/results/swap/Dockerfile index dbd734f..004c725 100644 --- a/test/results/swap/Dockerfile +++ b/test/results/swap/Dockerfile @@ -49,9 +49,10 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data + chown -R 1000:1000 db log storage tmp /data # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/vite/Dockerfile b/test/results/vite/Dockerfile index 9ae4659..683b928 100644 --- a/test/results/vite/Dockerfile +++ b/test/results/vite/Dockerfile @@ -60,10 +60,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/windows/Dockerfile b/test/results/windows/Dockerfile index 50bc58c..c270b5e 100644 --- a/test/results/windows/Dockerfile +++ b/test/results/windows/Dockerfile @@ -53,10 +53,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" diff --git a/test/results/yjit/Dockerfile b/test/results/yjit/Dockerfile index 9464c78..e3d0848 100644 --- a/test/results/yjit/Dockerfile +++ b/test/results/yjit/Dockerfile @@ -49,10 +49,11 @@ COPY --from=build /usr/local/bundle /usr/local/bundle COPY --from=build /rails /rails # Run and own only the runtime files as a non-root user for security -RUN useradd rails --create-home --shell /bin/bash && \ +RUN groupadd --system --gid 1000 rails && \ + useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ mkdir /data && \ - chown -R rails:rails db log storage tmp /data -USER rails:rails + chown -R 1000:1000 db log storage tmp /data +USER 1000:1000 # Deployment options ENV DATABASE_URL="sqlite3:///data/production.sqlite3" \