Announcement: Rails deployments no longer running as Root

I’ve pushed a 1.1.1 release of dockerfile-rails. What that means is that Rails projects launched after this point will include the following lines, copied from the Rails 7.1 template:

It should be extremely rare for a Rails application to need to run as root, but this is the first change I’ve made so far that one needs to opt-out of rather than opt-in.

To opt out, run

bin/rails generate dockerfile --root

(or simply delete the lines in the generated Dockerfile)

If you do opt out, I would be very interested in hearing why, either here or as an issue.

Rails applications that have been launched before this point aren’t affected. But you are welcome to:

  1. copy/paste these lines into your Dockerfile
  2. update to the latest dockerfile-rails gem and regenerate your Dockerfile
  3. install dockerfile-rails gems and generate a new Dockerfile is you launched prior to 29 January.

fyi: non root users on Fly have trouble with stdout and stderr: Container (non-root) user can't write to /dev/stdout or /dev/stderr - #8 by tom93

Yup. That’s why I disable this if nginx is selected:

… because in those case, I configure nginx to output to /dev/stdout and /dev/stderr for logging purposes:

What I like about writing generators like this one is that I can capture things I’ve discovered in tangible form so that these lessons can be applied automatically. Computers, it turns out, are rather good at applying if checks.

At the moment, few Rails users use nginx as a front end these days. But if there is demand, I’ll look into (or accept pull requests for :slight_smile: ) running nginx as root but rails as a non-root user.

1 Like

Of course, you knew about this problem (:

From the Fly init snapshot code (which is probably archaic by now) shared on github, it looks like approp permissions on stdout and stderr devices aren’t set as expected? Any hope of a fix?

Not any more! allow running nginx as non-root user · rubys/dockerfile-rails@1cf2209 · GitHub

This is because the underlying problem is now fixed: Container (non-root) user can't write to /dev/stdout or /dev/stderr - #24 by jerome

1 Like