Run API Security containers as non-root user gitlab
Problem
Secure is standardizing on using gitlab as the non-root user internal container processes run as. The API Fuzzing container doesn't use a gitlab user, and instead runs as root.
Relates to #281816 (comment 452363710)
Proposal
Ports
Updating the API Fuzzing docker container to a non-root user will impact which ports can be used internally. Currently the docker container internally runs as root allowing the use of ports 80 and 443. The ports will be shifted to 5000 and 5001. This change will require modification to the CI Template.
First the existing container will be updated to support both sets of ports: 80/443 and 5000/5001. Once deployed the CI template will be updated to use port 5000. Once merged and in production the new docker image can be deployed that only uses 5000/5001.
This change will not be backwards compatible. The scanner version # should be incremented.
Article with Example Dockerfile Settings ports on dotnet
Working folder and job artifacts
API Security must be modified to use a different folder for created files.
API Security uses the checked out project as the CWD and location to create job artifacts. This folder is owned by the default docker user (root for gitlab.com) and doesn't provide write for other users. This prevents the gitlab user from writing the artifacts or other temporary files.
Implementation Tasks
-
Update current Dockerfile to have the scanner listen on ports 80,443 and 5000,5001. -
Update the CI template to use 5000 in the scanner URL. -
Update DAST CI template -
Update FUZZ API template
-
-
Wait for CI template to merge, verify working -
Test -
Can users install python packages using pip -
Can users install system packages using APK
-
-
Increment scanner version number -
Update Dockerfile to use non-root user gitlabexpose port 5000,5001 but not 80/443 -
Verify all tests work -
Release new image -
Verify works with CI template (E2E tests) -
Notify Michael Leopard via slack that issue has been resolved