Non root docker

[phlax]

Commit Message:

Allow envoy to run as non-root user in Docker container, Fixes #11311

Additional description:

• creates a non-root user in docker recipes
• installs su-exec and requirements for usermod and groupmod
• updates the docker entrypoint to use su-exec

Unfortunately su-exec is not currently packaged in debian, so i had to compile the binary

An alternative would be to use gosu but its signififcantly larger

Risk Level: low/medium
The main risk is from compiling the su-exec binary for the debian build
Its not clear to me if these recipes are intended for ci or production - if the latter then introducing su-exec has more significant security implications
Testing:
Docs Changes: I could not find any docs relating to running with Docker
Release Notes: n/a

[lizan]

I don't think you need update if you do add --no-cache below.

[phlax]

seems not. removed

[lizan]

can you merge master? that will fix the CI

[phlax]

done

[lizan]

What if a user want to run Envoy as root? Non-root user cannot listen on well-known ports. Setting ENVOY_UID to 0 will fail at usermod.

[phlax]

this has been updated, so if ENVOY_UID=0 it follows the existing exec codepath and avoids usermod, su-exec etc

[phlax]

@lizan i have updated the PR and rebased to master.

lmk if there are any further changes that you would like

[lizan]

Thanks, this is in right direction. Can you add a release note as well? It should be noted that users have to set ENVOY_UID=0 to get old behavior.

[phlax]

release note added

[lizan]

alphabetical order, that's why format CI fails

[mattklein123]

Small question, thank you!

/wait

[mattklein123]

What is the default here? If not set somehow by default should this default to "0"? I think by default we will enter this statement but the string will be empty?

[phlax]

thats correct. The default is to use the envoy user with the uid/gid that is set at build time

[mattklein123]

Where are these env variables set?

[phlax]

they are runtime env vars for the container - so they can be set eg on the docker command line or in a compose file etc

[mattklein123]

It's not clear that this now has to be set. Can we please change this so that the default stays wat it was and we document how to set the right variables? By default I don't think this makes sense.

[phlax]

in the default case nothing should need to be set and all should work as it does now - save for the fact that process inside the container doesnt run as root.

The cases where you would want to set these vars are:

• opening well-known ports inside the container and running as root - containers kind of negate the need to ever do this
• setting a specific uid/gid to get the correct permissions on in or out sockets

my own opinion is that it is better to not run as root by default. Im happy to make whatever changes others feel necessary though

[mattklein123]

If both of these env vars are empty strings which would be the defualt, do the commands even work?

[phlax]

yep for sure.

the default case is that ENVOY_UID is not set - ie also not set to 0

in this case it goes into this code block, but as ENVOY_UID is not set (same with gid) it goes straight to

     su-exec envoy "${@}"

[mattklein123]

Ah OK, gotcha. Alright thanks for the explanation. LGTM.

[mattklein123]

Oops sorry can you merge master?

/wait

[phlax]

done

[mattklein123]

Thanks!

[phlax]

its not obvious to me why ci is failing - the error seems to be here

ERROR: The project you're trying to build requires Bazel 3.1.0 (specified in /Users/runner/runners/2.169.1/work/1/s/.bazelversion), but it wasn't found in /usr/local/Cellar/bazel/3.2.0/libexec/bin.

im wondering if i need to do anything to get tests passing

[lizan]

@phlax no your fault, don't worry :)