Skip to content

Scala Steward runs as root when using the published Docker image (but it probably shouldn't) #3283

New issue
New issue
Open
#3286
Open
Scala Steward runs as root when using the published Docker image (but it probably shouldn't)#3283
#3286
@bpholt

Description

@bpholt
bpholt
opened on Feb 9, 2024

The Dockerfile generated by the current build configuration leaves the user set to root, meaning the application runs as root inside the container. This is not recommended, and I think was probably an oversight.

scala-steward/build.sbt

Lines 379 to 393 in 1f8ea30

Seq(
Cmd("USER", "root"),
Cmd(
"RUN",
"apk --no-cache add bash git gpg ca-certificates curl maven openssh nodejs npm ncurses"
),
Cmd("RUN", installSbt),
Cmd("RUN", installMill),
Cmd("RUN", installCoursier),
Cmd("RUN", installScalaCli),
Cmd("RUN", s"$csBin install --install-dir $binDir scalafix scalafmt"),
Cmd("RUN", "npm install --global yarn"),
// Ensure binaries are in PATH
Cmd("RUN", "echo $PATH"),
Cmd("RUN", "which cs mill mvn node npm sbt scala-cli scalafix scalafmt yarn")

Line 380 sets the user to root so the build can configure the dependencies inside the image, but as you can see there's no subsequent USER {user} directive to reset the user context.

We're in the process of testing this locally, but I think adding this as the final Dockerfile directive should reset the user context back to the user created by sbt-native-packager.

Cmd("USER", (Docker / daemonUser).value)

I'll make a PR to fix this if the tests we're doing internally look promising.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions