Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Root access #54

Open
aleclarson opened this issue Sep 11, 2017 · 7 comments
Open

Root access #54

aleclarson opened this issue Sep 11, 2017 · 7 comments

Comments

@aleclarson
Copy link

Is it necessary for sumologic/collector:latest to be run as the root user?

If so, how vulnerable does that make my other containers?
@maimaisie
Copy link
Collaborator

Hi @aleclarson , we do support running collector as a user other than root. It is documented here https://help.sumologic.com/Send-Data/Installed-Collectors/05Reference-Information-for-Collector-Installation/05Set-the-Run-As-User-for-a-Collector

However, you'll need to follow Docker's documentation to create a user group and a user in your own Dockerfile to build the collector image.
https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#user

The Dockerfile we are using for sumologic/collector:latest is https://github.com/SumoLogic/sumologic-collector-docker/blob/master/Dockerfile

The engineering team will track a work item to provide an option that allows running as non-root user in the collector image to save you from these extra steps in the future.

@aleclarson
Copy link
Author

aleclarson commented Sep 14, 2017
edited
Loading

Are there disadvantages to running as non-root? Why is root the default?

@maimaisie
Copy link
Collaborator

The collector process needs to listen to TCP/UDP ports (if you are running Syslog source), read/write from the collector directory for configurations, caches, etc. Defaulting to root makes the setup process a bit easier. Also, in Docker, any process is run with root by default. But of course, we need to provide options to change the default. You can do that pretty easily on the non-dockerized Sumo collector (when you install collector as a service, not a container), however needs some extra steps for dockerized collector.

@coderanger
Copy link

I'm going to echo this, running as UID 0 is very dangerous in most cases. I would strongly recommend using a USER nobody line in the Dockerfile.

@adilfulara
Copy link

+1

My employer does not allow containers to run as root on our kubernetes env.

Adil.

@farisjarrah
Copy link

Any update to this issue? We are trying to run this in a Kubernetes cluster and really care about the security context in which all of our containers run. It would be very useful to not have to roll our own specialty image to manage this.

You folks allow some configuration of the docker based deployment to be injected via environment variables. Would that be an option to add that to this docker image?

@adilfulara
Copy link

adilfulara commented Apr 15, 2020
edited
Loading

Any update to this issue? We are trying to run this in a Kubernetes cluster and really care about the security context in which all of our containers run. It would be very useful to not have to roll our own specialty image to manage this.

You folks allow some configuration of the docker based deployment to be injected via environment variables. Would that be an option to add that to this docker image?

Your best bet is to create a custom docker image based on the official docker image. That will enable you to impose your orgs policies. We ended up dong the same rather than wait.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@coderanger @adilfulara @maimaisie @aleclarson @farisjarrah