-
-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add birdnet-user to docker runtime image #363
base: main
Are you sure you want to change the base?
Conversation
Allows setting the config path with the CONFIG_PATH environment variable. This is useful when running inside a container, since the config might be mounted in a different path from what is normally expected if running on a real machine.
By adding the "birdnet-user" for the Docker image, it ensures that the image is not run as root user. This is considered a best practice to enhance security and prevent potential vulnerabilities. Downgrade to less privileged runtime user is done through the entrypoint script by utilizing gosu: https://github.com/tianon/gosu. Meaning that the container will be running as user gid=10002, uid=10002 which should not collide with any existing users on the host system. During the downgrade process, the volume mount permissions for /data and /config will be adjusted to the new user. If the entrypoint user is not privileged, by passing `--user` into the docker run command, (arbitrary user/group id) the container will be run as the specified user instead. Here some safe guards are in place to ensure that provided user/group id has the required permissions to the mounted volumes as well as belonging to the audio group.
WalkthroughThe pull request introduces enhanced Docker container security and configuration management for the BirdNET-Go application. The changes include creating a non-root user ( Changes
Sequence DiagramsequenceDiagram
participant Container as Docker Container
participant Entrypoint as docker-entrypoint.sh
participant App as BirdNET-Go App
Container->>Entrypoint: Start container
alt Running as root
Entrypoint->>Entrypoint: Change directory ownership
Entrypoint->>Entrypoint: Switch to birdnet-user
end
Entrypoint->>Entrypoint: Check directory permissions
Entrypoint->>App: Launch application
Assessment against linked issues
Poem
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (3)
🧰 Additional context used🪛 Shellcheck (0.10.0)docker-entrypoint.sh[warning] 12-1212: Expanding an array without an index only gives the first element. (SC2128) [warning] 19-1919: This flag is used as a command name. Bad line break or missing [ .. ]? (SC2215) [warning] 19-1919: This flag is used as a command name. Bad line break or missing [ .. ]? (SC2215) [warning] 24-2424: Expanding an array without an index only gives the first element. (SC2128) [error] 37-3737: Double quote array expansions to avoid re-splitting elements. (SC2068) 🔇 Additional comments (10)
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
Sorry for delay, I will review this during weekend. This is needed but I am unsure how to handle this without breaking existing deployments on upgrade. |
I think it should be quite safe since it still will start as root (just like before) and downgrade itself. Still good to review it properly though since we don't want to mess up a bunch of installations. |
Fixes #322
Changes:
birdnet-user
to the Docker image to enhance security and prevent potential vulnerabilities.gosu
to downgrade to the less privilegedbirdnet-user
(gid=10002, uid=10002), ensuring the container does not run as the root user./data
and/config
to the new user during the downgrade process.--user
into thedocker run
command. Safeguards are in place to ensure the specified user/group ID has the required permissions to the mounted volumes and belongs to the audio group.CONFIG_PATH
environment variable to allow setting the configuration path. This is particularly useful when running inside a container, as the configuration might be mounted in a different path than expected when running on a real machine.These changes should not leave any existing volumes in a bad state and should be easy for everyone to use. However, it would be good if someone else could try out these changes to be on the safe side before we merge anything.