-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardening of the Frontend docker image #377
Conversation
I am rebasing master. |
Everything looks good to me offhand (although I haven't tested that things still work as expected yet)! There is a part of my brain that's wondering whether the benefit of a read-only image is worth the slight complexity increase, so I'd be interested to know your thoughts around why you ended up making this change? Anyway, I'll give it a quick test tomorrow and it feels like a net win even with the added complexity, so I'll be happy to approve once I've tested it! |
To enter a cluster running containerized polkadot nodes and telemetry, you may take the front door... or target smaller "utility" images such as telemetry to make your way in. This PR first of all disallow running as root. Second, it prevents adding or modifying files in the container (removing files would only help disrupt the service...), thus greatly reducing the attack surface. |
Another similar PR #379 is on its way for the backend. |
It looks great to me. |
If that helps for the tests, I can bring a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once that docker-compose tmpfs is on the frontend section :)
I merged this with the backend one and forced a rebuild of images, and everything seemed to work as expected!
@jsdw, indeed this is mandatory with using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great :)
The main goal of this PR is to harden the image for the frontend, making it read-only.
It comes with a few challenges since we need to generate files at startup, ensuring that those are neither executable nor modifiable later.
Building
Building the image can be done easily as described in the readme:
You can swap
chevdor
for any string, just make sure to use your docker hub username if you wish to push the image.You can also test the pre-built image:
chevdor/telemetry-frontend:pr-377
.Running
The following is taken from the modified readme:
Testing
Assuming you used the command above, you can first test it the frontend works at all at http://localhost:80/. Opening the dev console and printing
window.process_env
, you should see whateverSUBSTRATE_TELEMETRY_URL
you defined above. (I used 9944 which is obviously wrong, we connect to the backend here, not to a node...)(I did not have the backend running during this test)
You can then run a few tests:
We first set the container name (easier if yours is named differently):