stop running as root in container

[NissesSenap]

Hi

I'm new to the netbox community but I have gotten a request to run it for a customer.
I took a quick look around and I notice that the container is running as root. Is there any reason behind this?

Is it due to that you are running nginx on port 80?
If so would it be interesting for the community to move to port 8080?

Is there any other obvious blocker why we cant run as a normal user?
Running as root in a container system is really really dangerous.

Depending on requirements me or a colleague might be able to help out with this if it's a feature that you would like.

[kkthxbye-code]

I took a quick look around and I notice that the container is running as root.

Where did you see that? By default it runs as unit:root, that is the user unit and as part of the root group.

netbox-docker/docker-compose.yml

Line 11 in 3f1e45f

user: 'unit:root'

If you are talking about running the image standalone, it will run the ENTRYPOINT as whatever user you instruct it to run as.

docker run --rm -it --user unit:unit netboxcommunity/netbox

Is there any reason behind this?

Ignoring the initial faulty assumption, I believe the reason that the default group is root, is to ease the use of host mounts.

Is it due to that you are running nginx on port 80?

nginx is not used. Nginx unit is used as an application server, but it doesn't run as root. It also doesn't run on port 80. Where did that assumption come from?

https://github.com/netbox-community/netbox-docker/blob/release/docker/nginx-unit.json#L3

If so would it be interesting for the community to move to port 8080?

It already binds to port 8080 inside the container.

Is there any other obvious blocker why we cant run as a normal user?

It's getting redundant, but it is running as a normal user.

Running as root in a container system is really really dangerous.

While true in some cases, there are ways to run root in docker containers without the security implications. Docker Rootless, podman (rootless by default), user namespaces etc.

Do you have any concrete changes you want to suggest that are not possible to manage with a docker-override?

[kkthxbye-code]

To illustrate, here's the process list after a fresh clone of the repo and docker-compose up:

➜  ~ docker container top 264e1b0973f5
UID                 PID                 PPID                C                   STIME               TTY
TIME                CMD
101                 2397                2376                0                   10:00               ?
00:00:00            /usr/bin/tini -- /opt/netbox/docker-entrypoint.sh /opt/netbox/launch-netbox.sh
101                 2468                2397                0                   10:00               ?
00:00:00            unit: main v1.27.0 [unitd --no-daemon --control unix:/opt/unit/unit.sock --pid /opt/unit/unit.pid --log /dev/stdout --state /opt/unit/state/ --tmp /opt/unit/tmp/ --user unit --group root]
101                 2560                2468                0                   10:01               ?
00:00:00            unit: controller
101                 2561                2468                0                   10:01               ?
00:00:00            unit: router
101                 2565                2468                0                   10:01               ?
00:00:00            unit: "netbox" prototype
101                 2566                2565                4                   10:01               ?
00:00:00            unit: "netbox" application

What I do think would be nice would be for the group to be configurable in the launch-netbox.sh script:

netbox-docker/docker/launch-netbox.sh

Line 56 in 3f1e45f

--group root

Having the user being customizable would also be nice, but there might be some issue with regards to using a non-existant user at runtime, so not sure if there are any other options than the unit user.

[NissesSenap]

Hi @kkthxbye-code , thanks for your quick reply.

So about root, if you run docker run without specifying any user you will get it running as root.

➜ docker run -it docker.io/netboxcommunity/netbox:latest id     
uid=0(root) gid=0(root) groups=0(root)

My plan is to run netbox in kubernetes and yes you can define a specific user but the risk is of course that people don't.
Do you know if anyone have done that before?
If you would be interested I could share an example config when we have gotten it to work.

Since the entrypoint script is obliviously maid to run with the user unit would you have anything against seeing the addition of
USER unit:root
In the dockerfile: https://docs.docker.com/engine/reference/builder/#user

I think

netbox-docker/Dockerfile

Line 87 in 3f1e45f

should do the trick.

I'm happy to create the PR.

I understand that I could do my own docker override but then I would have to manage my own image and that is far from ideal.

I tried to find how to build the Dockerfile but was unable to do so since I have to define the FROM argument.
To make that easier we could also add ARG with a default value:

ARG FROM=<image-name>