From 9026cb10f987e7346dbfcd85bd09dda2dcfd9fd6 Mon Sep 17 00:00:00 2001 From: michael Date: Mon, 16 Jul 2018 23:42:33 +0000 Subject: [PATCH] General security practices say you run with the least privileges required, network daemons are particularly at risk when running as root as a bug in the daemon will give a remote attacker root access in the container, it's easier then to break out with root access on the host. Docker says in https://docs.docker.com/engine/security/security/#conclusions "Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container." add user osrm and package su-exec and change example to use it --- README.md | 2 +- docker/Dockerfile | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4f3540e0f..88ec9d655 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ The flag `-v $(pwd):/data` creates the directory `/data` inside the docker conta Note that `berlin-latest.osrm` has a different file extension. - docker run -t -i -p 5000:5000 -v $(pwd):/data osrm/osrm-backend osrm-routed --algorithm mld /data/berlin-latest.osrm + docker run -t -i -p 5000:5000 -v $(pwd):/data osrm/osrm-backend su-exec osrm osrm-routed --algorithm mld /data/berlin-latest.osrm Make requests against the HTTP server diff --git a/docker/Dockerfile b/docker/Dockerfile index 50f531ed6..0a62d5781 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -37,7 +37,8 @@ FROM alpine:3.6 as runstage RUN mkdir -p /src && mkdir -p /opt RUN echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ apk update && \ - apk add boost-filesystem boost-program_options boost-regex boost-iostreams boost-thread libgomp lua5.2 expat libtbb@testing + apk add boost-filesystem boost-program_options boost-regex boost-iostreams boost-thread libgomp lua5.2 expat libtbb@testing su-exec +RUN adduser -D osrm COPY --from=buildstage /usr/local /usr/local COPY --from=buildstage /opt /opt WORKDIR /opt