-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: improve security of the docker container #648
Conversation
@@ -7,11 +7,12 @@ services: | |||
- ~/polkadot-data:/data | |||
# ports: | |||
# - "9944:9944" | |||
command: 'polkadot --chain polkadot --unsafe-ws-external --rpc-cors=all' | |||
command: '--chain polkadot --unsafe-ws-external --rpc-cors=all' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did this line work at all previously (or did older images not default to running polkadot
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not check but it is very likely that I initially used my chevdor/polkadot
image here. The difference with the parity one being that the parity image uses polkadot
as entrypoint and my image does not. I guess someone updated from chevdor
to parity
without changing the call.
So the only 2 options are:
- use
chevdor/polkadot
and start the command withpolkadot
- use
parity/polkadot
and omit thepolkadot
binary in the command
My image is not built from CI so I do NOT recommend any longer using it (expect for people who want to build their own image themself).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
I haven't tested the justfile
, but I can see that you have, and the other changes look fairly trivial assuming the docker-compose
command is all gravy :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
While this PR makes the Docker image and the container deployed with it more secure, just using the new image does not get all the benefits if the user is not running the container as --read-only. This is why this flag as been set as default in the doc and in the docker-compose. It may be wise to let our known users know about this.
👍
In a containerized environment, weaker containers can be used as entry point. Thus the importance to secure Docker images.
What does the PR do:
This PR brings the following:
docker-compose.yaml
(it was not working with the parity image)node
instead--read-only
so that the root file system cannot be changedSecurity issues
Assuming you have no docker image named
substrate-api-sidecar
on your machine to get started. You can cleanup usingdocker images | grep sidecar | awk '{ print $3 }' | xargs docker rmi -f
.The following tests use
just
, read below for details aboutjust
.then run:
NOTE: You will see a few errors, ignore them, this is becasue we did not build the new image yet locally.
we get:
The red team 🕵🏻♂️ wins too much here...
Let's now build the new image:
and we test again:
we get:
This time, we make it a little harder for the red team 🕵🏻♂️.
NOTE: The errors we see are fine, those are the failed attemtps.
Important note
While this PR makes the Docker image and the container deployed with it more secure, just using the new image does not get all the benefits if the user is not running the container as
--read-only
. This is why this flag as been set as default in the doc and in the docker-compose. It may be wise to let our known users know about this.Justfile
The
jusfile
is a convenience that allows NOT introducing several scripts to build and test the containers.Having
just
installed, you can simply usejust
orjust help
to discover more about the usable scripts.Here is a run:
NOTE: The introduction of
just
is opinionated and not mandatory for this PR (although makes it much easier to test).