Skip to content

Commit 33de216

Browse files
ppodgorsekppodgorsek
committed
Issue #230 - Do not use root user in container
1 parent 53cfc17 commit 33de216

File tree

3 files changed

+44
-4
lines changed

3 files changed

+44
-4
lines changed

.travis.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,3 +32,8 @@ script:
3232

3333
- docker run --shm-size=1g -v `pwd`/test:/opt/robotframework/tests:Z -e BROWSER=chrome -e ROBOT_THREADS=4 -e PABOT_OPTIONS="--testlevelsplit" docker-robot-framework:ci
3434
- docker run --shm-size=1g -v `pwd`/test:/opt/robotframework/tests:Z -e BROWSER=firefox -e ROBOT_THREADS=4 -e PABOT_OPTIONS="--testlevelsplit" docker-robot-framework:ci
35+
36+
- docker run --user=2000 --shm-size=1g -v `pwd`/test:/opt/robotframework/tests:Z -e BROWSER=chrome docker-robot-framework:ci
37+
- docker run --user=2000 --shm-size=1g -v `pwd`/test:/opt/robotframework/tests:Z -e BROWSER=firefox docker-robot-framework:ci
38+
- docker run --user=2000:2000 --shm-size=1g -v `pwd`/test:/opt/robotframework/tests:Z -e BROWSER=chrome docker-robot-framework:ci
39+
- docker run --user=2000:2000 --shm-size=1g -v `pwd`/test:/opt/robotframework/tests:Z -e BROWSER=firefox docker-robot-framework:ci

Dockerfile

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,13 @@ MAINTAINER Paul Podgorsek <[email protected]>
44
LABEL description Robot Framework in Docker.
55

66
# Set the reports directory environment variable
7-
# By default, the directory is /opt/robotframework/reports
87
ENV ROBOT_REPORTS_DIR /opt/robotframework/reports
98

109
# Set the tests directory environment variable
11-
# By default, the directory is /opt/robotframework/tests
1210
ENV ROBOT_TESTS_DIR /opt/robotframework/tests
1311

14-
# Set up a volume for the generated reports
15-
VOLUME ${ROBOT_REPORTS_DIR}
12+
# Set the working directory environment variable
13+
ENV ROBOT_WORK_DIR /opt/robotframework/temp
1614

1715
# Setup X Window Virtual Framebuffer
1816
ENV SCREEN_COLOUR_DEPTH 24
@@ -23,6 +21,10 @@ ENV SCREEN_WIDTH 1920
2321
# By default, no parallelisation
2422
ENV ROBOT_THREADS 1
2523

24+
# Define the default user who'll run the tests
25+
ENV ROBOT_UID 1000
26+
ENV ROBOT_GID 1000
27+
2628
# Dependency versions
2729
ENV ALPINE_GLIBC 2.31-r0
2830
ENV CHROMIUM_VERSION 81.0
@@ -99,8 +101,24 @@ RUN apk update \
99101

100102
&& apk del --no-cache --update-cache .build-deps
101103

104+
# Create the default report and work folders with the default user to avoid runtime issues
105+
# These folders are writeable by anyone, to ensure the user can be changed on the command line.
106+
RUN mkdir -p ${ROBOT_REPORTS_DIR} \
107+
&& mkdir -p ${ROBOT_WORK_DIR} \
108+
&& chown ${ROBOT_UID}:${ROBOT_GID} ${ROBOT_REPORTS_DIR} \
109+
&& chown ${ROBOT_UID}:${ROBOT_GID} ${ROBOT_WORK_DIR} \
110+
&& chmod ugo+w ${ROBOT_REPORTS_DIR} ${ROBOT_WORK_DIR}
111+
102112
# Update system path
103113
ENV PATH=/opt/robotframework/bin:/opt/robotframework/drivers:$PATH
104114

115+
# Set up a volume for the generated reports
116+
VOLUME ${ROBOT_REPORTS_DIR}
117+
118+
USER ${ROBOT_UID}:${ROBOT_GID}
119+
120+
# A dedicated work folder to allow for the creation of temporary files
121+
WORKDIR ${ROBOT_WORK_DIR}
122+
105123
# Execute all robot tests
106124
CMD ["run-tests-in-virtual-screen.sh"]

README.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,23 @@ This project includes the IMAP library which allows Robot Framework to connect t
9292

9393
A suggestion to automate email testing is to run a [Mailcatcher instance in Docker which allows IMAP connections](https://github.com/estelora/docker-mailcatcher-imap). This will ensure emails are discarded once the tests have been run.
9494

95+
## Security consideration
96+
97+
By default, containers are implicitly run using `--user=1000:1000`, please remember to adjust that command-line setting accordingly, for example:
98+
99+
docker run \
100+
--user=1001:1001 \
101+
ppodgorsek/robot-framework:latest
102+
103+
Remember that that UID/GID should be allowed to access the mounted volumes in order to read the test suites and to write the output.
104+
105+
Additionally, it is possible to rely on user namespaces to further secure the execution. This is well described in the official container documentation:
106+
107+
* Docker: [Introduction to User Namespaces in Docker Engine](https://success.docker.com/article/introduction-to-user-namespaces-in-docker-engine)
108+
* Podman: [Running rootless Podman as a non-root user](https://www.redhat.com/sysadmin/rootless-podman-makes-sense)
109+
110+
This is a good security practice to make sure containers cannot perform unwanted changes on the host. In that sense, Podman is probably well ahead of Docker by not relying on a root daemon to run its containers.
111+
95112
## Continuous integration
96113

97114
It is possible to run the project from within a Jenkins pipeline by relying on the shell command line directly:

0 commit comments

Comments
 (0)