Skip to content

Use non-root user in built containers #4783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 27, 2023
Merged

Use non-root user in built containers #4783

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ad32dd6
Bump the otel-collector group with 4 updates (#4779)
dependabot[bot] Sep 26, 2023
a6b6b64
[4781]: Image should be created with a non-root user --fixed
nikzayn Sep 26, 2023
8227883
Merge branch 'main' into bugfix/4781
yurishkuro Sep 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions cmd/all-in-one/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ ARG debug_image

FROM $base_image AS release
ARG TARGETARCH
ARG USER_UID=10001

# Agent zipkin.thrift compact
EXPOSE 5775/udp
Expand Down Expand Up @@ -33,9 +34,11 @@ COPY sampling_strategies.json /etc/jaeger/

VOLUME ["/tmp"]
ENTRYPOINT ["/go/bin/all-in-one-linux"]
USER ${USER_UID}

FROM $debug_image AS debug
ARG TARGETARCH=amd64
ARG USER_UID=10001

# Agent zipkin.thrift compact
EXPOSE 5775/udp
Expand Down Expand Up @@ -69,3 +72,4 @@ COPY sampling_strategies.json /etc/jaeger/

VOLUME ["/tmp"]
ENTRYPOINT ["/go/bin/dlv", "exec", "/go/bin/all-in-one-linux", "--headless", "--listen=:12345", "--api-version=2", "--accept-multiclient", "--log", "--"]
USER ${USER_UID}
2 changes: 2 additions & 0 deletions cmd/anonymizer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
FROM scratch
ARG TARGETARCH
ARG USER_UID=10001

COPY anonymizer-linux-$TARGETARCH /go/bin/anonymizer-linux
ENTRYPOINT ["/go/bin/anonymizer-linux"]
USER ${USER_UID}
4 changes: 4 additions & 0 deletions cmd/collector/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,16 @@ ARG debug_image

FROM $base_image AS release
ARG TARGETARCH
ARG USER_UID=10001
COPY collector-linux-$TARGETARCH /go/bin/collector-linux
EXPOSE 14250/tcp
ENTRYPOINT ["/go/bin/collector-linux"]
USER ${USER_UID}

FROM $debug_image AS debug
ARG TARGETARCH=amd64
ARG USER_UID=10001
COPY collector-debug-linux-$TARGETARCH /go/bin/collector-linux
EXPOSE 12345/tcp 14250/tcp
ENTRYPOINT ["/go/bin/dlv", "exec", "/go/bin/collector-linux", "--headless", "--listen=:12345", "--api-version=2", "--accept-multiclient", "--log", "--"]
USER ${USER_UID}
2 changes: 2 additions & 0 deletions cmd/es-index-cleaner/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,7 @@ ARG base_image

FROM $base_image AS release
ARG TARGETARCH
ARG USER_UID=10001
COPY es-index-cleaner-linux-$TARGETARCH /go/bin/es-index-cleaner-linux
ENTRYPOINT ["/go/bin/es-index-cleaner-linux"]
USER ${USER_UID}
2 changes: 2 additions & 0 deletions cmd/es-rollover/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,7 @@ ARG base_image

FROM $base_image AS release
ARG TARGETARCH
ARG USER_UID=10001
COPY es-rollover-linux-$TARGETARCH /go/bin/es-rollover
ENTRYPOINT ["/go/bin/es-rollover"]
USER ${USER_UID}
4 changes: 4 additions & 0 deletions cmd/ingester/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,16 @@ ARG debug_image

FROM $base_image AS release
ARG TARGETARCH
ARG USER_UID=10001
COPY ingester-linux-$TARGETARCH /go/bin/ingester-linux
EXPOSE 14270/tcp 14271/tcp
ENTRYPOINT ["/go/bin/ingester-linux"]
USER ${USER_UID}

FROM $debug_image AS debug
ARG TARGETARCH=amd64
ARG USER_UID=10001
COPY ingester-debug-linux-$TARGETARCH /go/bin/ingester-linux
EXPOSE 12345/tcp 14270/tcp 14271/tcp
ENTRYPOINT ["/go/bin/dlv", "exec", "/go/bin/ingester-linux", "--headless", "--listen=:12345", "--api-version=2", "--accept-multiclient", "--log", "--"]
USER ${USER_UID}
4 changes: 4 additions & 0 deletions cmd/query/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,16 @@ ARG debug_image

FROM $base_image AS release
ARG TARGETARCH
ARG USER_UID=10001
COPY query-linux-$TARGETARCH /go/bin/query-linux
EXPOSE 16686/tcp
ENTRYPOINT ["/go/bin/query-linux"]
USER ${USER_UID}

FROM $debug_image AS debug
ARG TARGETARCH=amd64
ARG USER_UID=10001
COPY query-debug-linux-$TARGETARCH /go/bin/query-linux
EXPOSE 12345/tcp 16686/tcp
ENTRYPOINT ["/go/bin/dlv", "exec", "/go/bin/query-linux", "--headless", "--listen=:12345", "--api-version=2", "--accept-multiclient", "--log", "--"]
USER ${USER_UID}
4 changes: 4 additions & 0 deletions cmd/remote-storage/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,16 @@ ARG SVC=remote-storage

FROM $base_image AS release
ARG TARGETARCH
ARG USER_UID=10001
COPY remote-storage-linux-$TARGETARCH /go/bin/remote-storage-linux
EXPOSE 16686/tcp
ENTRYPOINT ["/go/bin/remote-storage-linux"]
USER ${USER_UID}

FROM $debug_image AS debug
ARG TARGETARCH=amd64
ARG USER_UID=10001
COPY remote-storage-debug-linux-$TARGETARCH /go/bin/remote-storage-linux
EXPOSE 12345/tcp 16686/tcp
ENTRYPOINT ["/go/bin/dlv", "exec", "/go/bin/remote-storage-linux", "--headless", "--listen=:12345", "--api-version=2", "--accept-multiclient", "--log", "--"]
USER ${USER_UID}
2 changes: 2 additions & 0 deletions cmd/tracegen/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
FROM scratch
ARG TARGETARCH
ARG USER_UID=10001

COPY tracegen-linux-$TARGETARCH /go/bin/tracegen-linux
ENTRYPOINT ["/go/bin/tracegen-linux"]
USER ${USER_UID}
51 changes: 24 additions & 27 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,15 +43,15 @@ require (
github.com/stretchr/testify v1.8.4
github.com/uber/jaeger-client-go v2.30.0+incompatible
github.com/xdg-go/scram v1.1.2
go.opentelemetry.io/collector/component v0.85.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not part of the PR

go.opentelemetry.io/collector/config/configgrpc v0.85.0
go.opentelemetry.io/collector/config/confighttp v0.85.0
go.opentelemetry.io/collector/config/configtls v0.85.0
go.opentelemetry.io/collector/consumer v0.85.0
go.opentelemetry.io/collector/extension v0.85.0
go.opentelemetry.io/collector/pdata v1.0.0-rcv0014
go.opentelemetry.io/collector/receiver v0.85.0
go.opentelemetry.io/collector/receiver/otlpreceiver v0.85.0
go.opentelemetry.io/collector/component v0.86.0
go.opentelemetry.io/collector/config/configgrpc v0.86.0
go.opentelemetry.io/collector/config/confighttp v0.86.0
go.opentelemetry.io/collector/config/configtls v0.86.0
go.opentelemetry.io/collector/consumer v0.86.0
go.opentelemetry.io/collector/extension v0.86.0
go.opentelemetry.io/collector/pdata v1.0.0-rcv0015
go.opentelemetry.io/collector/receiver v0.86.0
go.opentelemetry.io/collector/receiver/otlpreceiver v0.86.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.44.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
go.opentelemetry.io/otel v1.18.0
Expand All @@ -65,7 +65,7 @@ require (
go.opentelemetry.io/otel/trace v1.18.0
go.uber.org/atomic v1.11.0
go.uber.org/automaxprocs v1.5.3
go.uber.org/zap v1.25.0
go.uber.org/zap v1.26.0
golang.org/x/net v0.15.0
golang.org/x/sys v0.12.0
google.golang.org/grpc v1.58.1
Expand All @@ -76,7 +76,6 @@ require (
require (
github.com/VividCortex/gohistogram v1.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/benbjohnson/clock v1.3.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
github.com/cespare/xxhash v1.1.0 // indirect
Expand Down Expand Up @@ -114,7 +113,7 @@ require (
github.com/jcmturner/rpc/v2 v2.0.3 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.16.7 // indirect
github.com/klauspost/compress v1.17.0 // indirect
github.com/knadh/koanf v1.5.0 // indirect
github.com/knadh/koanf/v2 v2.0.1 // indirect
github.com/kr/text v0.2.0 // indirect
Expand All @@ -129,7 +128,7 @@ require (
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/mostynb/go-grpc-compression v1.2.0 // indirect
github.com/mostynb/go-grpc-compression v1.2.1 // indirect
github.com/oklog/run v1.1.0 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/onsi/ginkgo v1.16.5 // indirect
Expand All @@ -154,20 +153,18 @@ require (
github.com/xdg-go/stringprep v1.0.4 // indirect
go.mongodb.org/mongo-driver v1.11.6 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/collector v0.85.0 // indirect
go.opentelemetry.io/collector/config/configauth v0.85.0 // indirect
go.opentelemetry.io/collector/config/configcompression v0.85.0 // indirect
go.opentelemetry.io/collector/config/confignet v0.85.0 // indirect
go.opentelemetry.io/collector/config/configopaque v0.85.0 // indirect
go.opentelemetry.io/collector/config/configtelemetry v0.85.0 // indirect
go.opentelemetry.io/collector/config/internal v0.85.0 // indirect
go.opentelemetry.io/collector/confmap v0.85.0 // indirect
go.opentelemetry.io/collector/exporter v0.85.0 // indirect
go.opentelemetry.io/collector/extension/auth v0.85.0 // indirect
go.opentelemetry.io/collector/featuregate v1.0.0-rcv0014 // indirect
go.opentelemetry.io/collector/processor v0.85.0 // indirect
go.opentelemetry.io/collector/semconv v0.85.0 // indirect
go.opentelemetry.io/otel/sdk/metric v0.40.0 // indirect
go.opentelemetry.io/collector v0.86.0 // indirect
go.opentelemetry.io/collector/config/configauth v0.86.0 // indirect
go.opentelemetry.io/collector/config/configcompression v0.86.0 // indirect
go.opentelemetry.io/collector/config/confignet v0.86.0 // indirect
go.opentelemetry.io/collector/config/configopaque v0.86.0 // indirect
go.opentelemetry.io/collector/config/configtelemetry v0.86.0 // indirect
go.opentelemetry.io/collector/config/internal v0.86.0 // indirect
go.opentelemetry.io/collector/confmap v0.86.0 // indirect
go.opentelemetry.io/collector/extension/auth v0.86.0 // indirect
go.opentelemetry.io/collector/featuregate v1.0.0-rcv0015 // indirect
go.opentelemetry.io/collector/semconv v0.86.0 // indirect
go.opentelemetry.io/otel/sdk/metric v0.41.0 // indirect
go.opentelemetry.io/proto/otlp v1.0.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.13.0 // indirect
Expand Down
Loading