Announcement: Rails deployments no longer running as Root

rubys · February 19, 2023, 6:35pm

I’ve pushed a 1.1.1 release of dockerfile-rails. What that means is that Rails projects launched after this point will include the following lines, copied from the Rails 7.1 template:

github.com

rails/rails/blob/e9cb3c7b2f63bac810efb46cf8902cadaadcbdcd/railties/lib/rails/generators/rails/app/templates/Dockerfile.tt#L69-L71


      
          # Run and own the application files as a non-root user for security
          RUN useradd rails
          USER rails:rails

It should be extremely rare for a Rails application to need to run as root, but this is the first change I’ve made so far that one needs to opt-out of rather than opt-in.

To opt out, run

bin/rails generate dockerfile --root

(or simply delete the lines in the generated Dockerfile)

If you do opt out, I would be very interested in hearing why, either here or as an issue.

Rails applications that have been launched before this point aren’t affected. But you are welcome to:

copy/paste these lines into your Dockerfile
update to the latest dockerfile-rails gem and regenerate your Dockerfile
install dockerfile-rails gems and generate a new Dockerfile is you launched prior to 29 January.

ignoramous · February 19, 2023, 7:47pm

fyi: non root users on Fly have trouble with stdout and stderr: Container (non-root) user can't write to /dev/stdout or /dev/stderr - #8 by tom93

rubys · February 19, 2023, 7:56pm

Yup. That’s why I disable this if nginx is selected:

github.com

fly-apps/dockerfile-rails/blob/c94444cdd3a3705b2b4c3daf09fdf62fd61ef70f/lib/generators/dockerfile_generator.rb#L261-L263


      
          def run_as_root?
            options.root? || options.nginx? # needed to access /dev/stdout
          end

… because in those case, I configure nginx to output to /dev/stdout and /dev/stderr for logging purposes:

github.com

fly-apps/dockerfile-rails/blob/c94444cdd3a3705b2b4c3daf09fdf62fd61ef70f/lib/generators/templates/_nginx.erb#L1-L4


      
          # configure nginx
          RUN gem install foreman && \
              sed -i 's/access_log\s.*;/access_log \/dev\/stdout;/' /etc/nginx/nginx.conf && \
              sed -i 's/error_log\s.*;/error_log \/dev\/stderr info;/' /etc/nginx/nginx.conf

What I like about writing generators like this one is that I can capture things I’ve discovered in tangible form so that these lessons can be applied automatically. Computers, it turns out, are rather good at applying if checks.

At the moment, few Rails users use nginx as a front end these days. But if there is demand, I’ll look into (or accept pull requests for ) running nginx as root but rails as a non-root user.

ignoramous · February 19, 2023, 8:00pm

Of course, you knew about this problem (:

From the Fly init snapshot code (which is probably archaic by now) shared on github, it looks like approp permissions on stdout and stderr devices aren’t set as expected? Any hope of a fix?

rubys · February 20, 2023, 11:10pm

Not any more! allow running nginx as non-root user · fly-apps/dockerfile-rails@1cf2209 · GitHub

This is because the underlying problem is now fixed: Container (non-root) user can't write to /dev/stdout or /dev/stderr - #24 by jerome

Topic		Replies	Views
Cut over to Rails Dockerfile Generator on Sunday 29 Jan 2023 announcement , rails	3	1011	January 29, 2023
Preparations for Rails 7.1 rails	19	5364	January 17, 2023
Dockerfile-less deploys - rails demo rails	0	482	December 7, 2022
Rails 7+ applications do not need a `dockerfile-rails` gem Questions / Help rails	12	549	March 21, 2024
[Rails] Dockerfile generator with --swap option is not compatible with fly volumes Questions / Help	2	299	April 29, 2023

Announcement: Rails deployments no longer running as Root

Related topics