Dockerfile doesn't specify USER #5070
Comments
|
Thanks for the issue, you are correct, for production deployments a non-root USER is indeed recommended. The Docker image built in this repository and the associated usage in fabric-samples repository are for education and test purposes only as mentioned at https://github.com/hyperledger/fabric/tree/main/images/peer. root is utilized for simplicity in the samples to interact with the Docker daemon when building and starting chaincodes. Production deployments should specify a USER and are encouraged to use a chaincode build and run approach appropriate for the production environment (e.g. Kubernetes based), see https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html. We can utilize this issue to make the recommendation more clear, I'll update the title and remove the bug label accordingly. |
denyeart
changed the title
Description
By not specifying a USER, a program in the container may run as root. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than root.
images/orderer/Dockerfile:73
{CMD [ "orderer", "start" ]}
images/peer/Dockerfile:77
{VOLUME /etc/hyperledger/fabric
VOLUME /var/hyperledger
EXPOSE 7051
CMD [ "peer", "node", "start" ]}
References
Steps to reproduce
No response
The text was updated successfully, but these errors were encountered: