Merge pull request #28 from constanca-m/run-as-non-root

Running as a non root user
gubernator-io · Oct 7, 2024 · 2fcf4c2 · 2fcf4c2
2 parents 821fad7 + ba6a1ab
commit 2fcf4c2
Show file tree

Hide file tree

Showing 15 changed files with 96 additions and 89 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,12 @@
 # Build image
-FROM --platform=$BUILDPLATFORM golang:1.21.0 as build
+FROM --platform=$BUILDPLATFORM golang:1.21.0 AS build
 ARG BUILDPLATFORM
 ARG TARGETPLATFORM
 # https://github.com/docker/buildx/issues/510#issuecomment-768432329
 ENV BUILDPLATFORM=${BUILDPLATFORM:-linux/amd64}
 ENV TARGETPLATFORM=${TARGETPLATFORM:-linux/amd64}
 
-LABEL org.opencontainers.image.source = "https://github.com/gubernator-io/gubernator"
+LABEL org.opencontainers.image.source="https://github.com/gubernator-io/gubernator"
 
 WORKDIR /go/src
 
@@ -27,6 +27,9 @@ RUN CGO_ENABLED=0 GOOS=${TARGETPLATFORM%/*} GOARCH=${TARGETPLATFORM#*/} go build
 RUN CGO_ENABLED=0 GOOS=${TARGETPLATFORM%/*} GOARCH=${TARGETPLATFORM#*/} go build \
     -ldflags "-w -s" -o /healthcheck /go/src/cmd/healthcheck/main.go
 
+# Create a non-root user
+RUN useradd -u 1001 gubernator
+
 # Create our deploy image
 FROM scratch
 
@@ -37,13 +40,15 @@ COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=build /gubernator /gubernator
 COPY --from=build /healthcheck /healthcheck
 
+# Switch to non root user
+USER 1001
+
 # Healtcheck
 HEALTHCHECK --interval=3s --timeout=1s --start-period=2s --retries=2 CMD [ "/healthcheck" ]
 
-
 # Run the server
 ENTRYPOINT ["/gubernator"]
 
-EXPOSE 80
-EXPOSE 81
+EXPOSE 1050
+EXPOSE 1051
 EXPOSE 7946
diff --git a/README.md b/README.md
@@ -38,11 +38,11 @@ $ docker-compose up -d
 ```
 Now you can make rate limit requests via CURL
 ```
-# Hit the HTTP API at localhost:9080 (GRPC is at 9081)
-$ curl http://localhost:9080/v1/HealthCheck
+# Hit the HTTP API at localhost:1050 (GRPC is at 1051)
+$ curl http://localhost:1050/v1/HealthCheck
 
 # Make a rate limit request
-$ curl http://localhost:9080/v1/GetRateLimits \
+$ curl http://localhost:1050/v1/GetRateLimits \
   --header 'Content-Type: application/json' \
   --data '{
     "requests": [
@@ -306,7 +306,7 @@ Example response:
       "reset_time": "1690855128786",
       "error": "",
       "metadata": {
-        "owner": "gubernator:81"
+        "owner": "gubernator:1051"
       }
     }
   ]
@@ -321,11 +321,11 @@ simplest way to try gubernator out.
 
 ##### Docker with existing etcd cluster
 ```bash
-$ docker run -p 8081:81 -p 9080:80 -e GUBER_ETCD_ENDPOINTS=etcd1:2379,etcd2:2379 \
+$ docker run -p 1051:1051 -p 1050:1050 -e GUBER_ETCD_ENDPOINTS=etcd1:2379,etcd2:2379 \
    ghcr.io/gubernator-io/gubernator:latest
 
-# Hit the HTTP API at localhost:9080
-$ curl http://localhost:9080/v1/HealthCheck
+# Hit the HTTP API at localhost:1050
+$ curl http://localhost:1050/v1/HealthCheck
 ```
 
 ##### Kubernetes
@@ -352,8 +352,8 @@ self signed certs by running `docker-compose-tls.yaml`
 # Run docker compose
 $ docker-compose -f docker-compose-tls.yaml up -d
 
-# Hit the HTTP API at localhost:9080 (GRPC is at 9081)
-$ curl --cacert certs/ca.cert --cert certs/gubernator.pem --key certs/gubernator.key  https://localhost:9080/v1/HealthCheck
+# Hit the HTTP API at localhost:1050 (GRPC is at 1051)
+$ curl --cacert certs/ca.cert --cert certs/gubernator.pem --key certs/gubernator.key  https://localhost:1050/v1/HealthCheck
 ```
 
 ### Configuration

diff --git a/cmd/gubernator/main_test.go b/cmd/gubernator/main_test.go
@@ -15,10 +15,11 @@ import (
 	"testing"
 	"time"
 
-	cli "github.com/gubernator-io/gubernator/v2/cmd/gubernator"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/proxy"
+
+	cli "github.com/gubernator-io/gubernator/v2/cmd/gubernator"
 )
 
 var cliRunning = flag.Bool("test_cli_running", false, "True if running as a child process; used by TestCLI")
@@ -45,8 +46,8 @@ func TestCLI(t *testing.T) {
 		{
 			name: "Should start with no config provided",
 			env: []string{
-				"GUBER_GRPC_ADDRESS=localhost:8080",
-				"GUBER_HTTP_ADDRESS=localhost:8081",
+				"GUBER_GRPC_ADDRESS=localhost:1050",
+				"GUBER_HTTP_ADDRESS=localhost:1051",
 			},
 			args:     []string{},
 			contains: "HTTP Gateway Listening on",
@@ -73,7 +74,7 @@ func TestCLI(t *testing.T) {
 				close(waitCh)
 			}()
 
-			err := waitForConnect(ctx, "localhost:8080", nil)
+			err := waitForConnect(ctx, "localhost:1050", nil)
 			assert.NoError(t, err)
 			time.Sleep(time.Second * 1)
 

diff --git a/cmd/healthcheck/main.go b/cmd/healthcheck/main.go
@@ -29,7 +29,7 @@ import (
 func main() {
 	url := os.Getenv("GUBER_HTTP_ADDRESS")
 	if url == "" {
-		url = "localhost:80"
+		url = "localhost:1050"
 	}
 	resp, err := http.DefaultClient.Get(fmt.Sprintf("http://%s/v1/HealthCheck", url))
 	if err != nil {

diff --git a/config.go b/config.go
@@ -310,9 +310,9 @@ func SetupDaemonConfig(logger *logrus.Logger, configFile io.Reader) (DaemonConfi
 
 	// Main config
 	setter.SetDefault(&conf.GRPCListenAddress, os.Getenv("GUBER_GRPC_ADDRESS"),
-		fmt.Sprintf("%s:81", LocalHost()))
+		fmt.Sprintf("%s:1051", LocalHost()))
 	setter.SetDefault(&conf.HTTPListenAddress, os.Getenv("GUBER_HTTP_ADDRESS"),
-		fmt.Sprintf("%s:80", LocalHost()))
+		fmt.Sprintf("%s:1050", LocalHost()))
 	setter.SetDefault(&conf.InstanceID, GetInstanceID())
 	setter.SetDefault(&conf.HTTPStatusListenAddress, os.Getenv("GUBER_STATUS_HTTP_ADDRESS"), "")
 	setter.SetDefault(&conf.GRPCMaxConnectionAgeSeconds, getEnvInteger(log, "GUBER_GRPC_MAX_CONN_AGE_SEC"), 0)

diff --git a/config_test.go b/config_test.go
@@ -21,13 +21,14 @@ GUBER_GRPC_ADDRESS=10.10.10.10:9000`
 	require.NotEmpty(t, daemonConfig.InstanceID)
 }
 
-func TestDefaultGrpcAddress(t *testing.T) {
+func TestDefaultListenAddress(t *testing.T) {
 	os.Clearenv()
 	s := `
 # a comment`
 	daemonConfig, err := SetupDaemonConfig(logrus.StandardLogger(), strings.NewReader(s))
 	require.NoError(t, err)
-	require.Equal(t, fmt.Sprintf("%s:81", LocalHost()), daemonConfig.GRPCListenAddress)
+	require.Equal(t, fmt.Sprintf("%s:1051", LocalHost()), daemonConfig.GRPCListenAddress)
+	require.Equal(t, fmt.Sprintf("%s:1050", LocalHost()), daemonConfig.HTTPListenAddress)
 	require.NotEmpty(t, daemonConfig.InstanceID)
 }
 

diff --git a/contrib/aws-ecs-service-discovery-deployment/ecs_gubernator.tf b/contrib/aws-ecs-service-discovery-deployment/ecs_gubernator.tf
@@ -35,8 +35,8 @@ module "gubernator_service" {
           initProcessEnabled = true
         },
         portMappings = [
-          { containerPort = 80 },
-          { containerPort = 81 },
+          { containerPort = 1050 },
+          { containerPort = 1051 },
         ],
         logConfiguration = {
           logDriver = "awslogs",

diff --git a/contrib/aws-ecs-service-discovery-deployment/main.tf b/contrib/aws-ecs-service-discovery-deployment/main.tf
@@ -3,8 +3,8 @@ locals {
   gubernator_service_discovery = "app"
   gubernator_service_host      = "${local.gubernator_service_discovery}.${local.service_namespace}"
   gubernator_env_vars = {
-    GUBER_GRPC_ADDRESS        = "0.0.0.0:81"
-    GUBER_HTTP_ADDRESS        = "0.0.0.0:80"
+    GUBER_GRPC_ADDRESS        = "0.0.0.0:1051"
+    GUBER_HTTP_ADDRESS        = "0.0.0.0:1050"
     GUBER_PEER_DISCOVERY_TYPE = "dns"
     GUBER_DNS_FQDN            = local.gubernator_service_host
     GUBER_DEBUG               = var.gubernator_debug_mode ? "true" : "false"

diff --git a/contrib/charts/gubernator/templates/_helpers.tpl b/contrib/charts/gubernator/templates/_helpers.tpl
@@ -67,7 +67,7 @@ GRPC Port
 {{- if .Values.gubernator.server.grpc.port }}
 {{- .Values.gubernator.server.grpc.port}}
 {{- else }}
-{{- print "81" }}
+{{- print "1051" }}
 {{- end }}
 {{- end }}
 
@@ -78,7 +78,7 @@ HTTP Port
 {{- if .Values.gubernator.server.http.port }}
 {{- .Values.gubernator.server.http.port}}
 {{- else }}
-{{- print "80" }}
+{{- print "1050" }}
 {{- end }}
 {{- end }}
 

diff --git a/contrib/charts/gubernator/values.yaml b/contrib/charts/gubernator/values.yaml
@@ -31,9 +31,9 @@ gubernator:
 
   server:
     http:
-      port: "80"
+      port: "1050"
     grpc:
-      port: "81"
+      port: "1051"
       # Defines the max age of a client connection
       # default is infinity
       # maxConnAgeSeconds: 30

diff --git a/contrib/k8s-deployment.yaml b/contrib/k8s-deployment.yaml
@@ -20,9 +20,9 @@ spec:
           imagePullPolicy: IfNotPresent
           ports:
             - name: grpc-port
-              containerPort: 81
+              containerPort: 1051
             - name: http-port
-              containerPort: 80
+              containerPort: 1050
           name: gubernator
           env:
           - name: GUBER_K8S_NAMESPACE
@@ -36,16 +36,16 @@ spec:
           # Must set the GRPC and HTTP addresses, as gubernator
           # defaults to listening on localhost only
           - name: GUBER_GRPC_ADDRESS
-            value: 0.0.0.0:81
+            value: 0.0.0.0:1051
           - name: GUBER_HTTP_ADDRESS
-            value: 0.0.0.0:80
+            value: 0.0.0.0:1050
           # Use the k8s API for peer discovery
           - name: GUBER_PEER_DISCOVERY_TYPE
             value: "k8s"
           # This should match the port number GRPC is listening on
           # as defined by `containerPort`
           - name: GUBER_K8S_POD_PORT
-            value: "81"
+            value: "1051"
           # The selector used when listing endpoints. This selector
           # should only select gubernator peers.
           - name: GUBER_K8S_ENDPOINTS_SELECTOR
@@ -74,13 +74,13 @@ spec:
   clusterIP: None
   #ports:
   #- name: grpc-port
-  #targetPort: 81
+  #targetPort: 1051
   #protocol: TCP
-  #port: 81
+  #port: 1051
   #- name: http-port
-  #targetPort: 80
+  #targetPort: 1050
   #protocol: TCP
-  #port: 80
+  #port: 1050
   selector:
     app: gubernator
 ---

diff --git a/dns.go b/dns.go
@@ -157,10 +157,10 @@ func peer(ip string, self string, ipv6 bool) PeerInfo {
 	if ipv6 {
 		ip = "[" + ip + "]"
 	}
-	grpc := ip + ":81"
+	grpc := ip + ":1051"
 	return PeerInfo{
 		DataCenter:  "",
-		HTTPAddress: ip + ":80",
+		HTTPAddress: ip + ":1050",
 		GRPCAddress: grpc,
 		IsOwner:     grpc == self,
 	}

diff --git a/docker-compose-tls.yaml b/docker-compose-tls.yaml
@@ -5,9 +5,9 @@ services:
     entrypoint: "/gubernator"
     environment:
       # Basic member-list config
-      - GUBER_GRPC_ADDRESS=0.0.0.0:81
-      - GUBER_HTTP_ADDRESS=0.0.0.0:80
-      - GUBER_ADVERTISE_ADDRESS=gubernator-1:81
+      - GUBER_GRPC_ADDRESS=0.0.0.0:1051
+      - GUBER_HTTP_ADDRESS=0.0.0.0:1050
+      - GUBER_ADVERTISE_ADDRESS=gubernator-1:1051
       - GUBER_MEMBERLIST_KNOWN_NODES=gubernator-1
       - GUBER_MEMBERLIST_SECRET_KEYS=eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=
       # TLS config
@@ -16,8 +16,8 @@ services:
       - GUBER_TLS_CERT=/etc/tls/gubernator.pem
       - GUBER_TLS_CLIENT_AUTH=require-and-verify
     ports:
-      - "9081:81"
-      - "9080:80"
+      - "1051:1051"
+      - "1050:1050"
     volumes:
       - ${PWD}/contrib/certs:/etc/tls
 
@@ -26,9 +26,9 @@ services:
     entrypoint: "/gubernator"
     environment:
       # Basic member-list config
-      - GUBER_GRPC_ADDRESS=0.0.0.0:81
-      - GUBER_HTTP_ADDRESS=0.0.0.0:80
-      - GUBER_ADVERTISE_ADDRESS=gubernator-2:81
+      - GUBER_GRPC_ADDRESS=0.0.0.0:1051
+      - GUBER_HTTP_ADDRESS=0.0.0.0:1050
+      - GUBER_ADVERTISE_ADDRESS=gubernator-2:1051
       - GUBER_MEMBERLIST_KNOWN_NODES=gubernator-1
       - GUBER_MEMBERLIST_SECRET_KEYS=eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=
       # TLS config
@@ -37,8 +37,8 @@ services:
       - GUBER_TLS_CERT=/etc/tls/gubernator.pem
       - GUBER_TLS_CLIENT_AUTH=require-and-verify
     ports:
-      - "9181:81"
-      - "9180:80"
+      - "1151:1051"
+      - "1150:1050"
     volumes:
       - ${PWD}/contrib/certs:/etc/tls
 
@@ -47,9 +47,9 @@ services:
     entrypoint: "/gubernator"
     environment:
       # Basic member-list config
-      - GUBER_GRPC_ADDRESS=0.0.0.0:81
-      - GUBER_HTTP_ADDRESS=0.0.0.0:80
-      - GUBER_ADVERTISE_ADDRESS=gubernator-3:81
+      - GUBER_GRPC_ADDRESS=0.0.0.0:1051
+      - GUBER_HTTP_ADDRESS=0.0.0.0:1050
+      - GUBER_ADVERTISE_ADDRESS=gubernator-3:1051
       - GUBER_MEMBERLIST_KNOWN_NODES=gubernator-1
       - GUBER_MEMBERLIST_SECRET_KEYS=eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=
       # TLS config
@@ -58,8 +58,8 @@ services:
       - GUBER_TLS_CERT=/etc/tls/gubernator.pem
       - GUBER_TLS_CLIENT_AUTH=require-and-verify
     ports:
-      - "9281:81"
-      - "9280:80"
+      - "1251:1051"
+      - "1250:1050"
     volumes:
       - ${PWD}/contrib/certs:/etc/tls
 
@@ -69,9 +69,9 @@ services:
     environment:
       # Basic member-list config
       - GUBER_DEBUG=true
-      - GUBER_GRPC_ADDRESS=0.0.0.0:81
-      - GUBER_HTTP_ADDRESS=0.0.0.0:80
-      - GUBER_ADVERTISE_ADDRESS=gubernator-4:81
+      - GUBER_GRPC_ADDRESS=0.0.0.0:1051
+      - GUBER_HTTP_ADDRESS=0.0.0.0:1050
+      - GUBER_ADVERTISE_ADDRESS=gubernator-4:1051
       - GUBER_MEMBERLIST_KNOWN_NODES=gubernator-1
       - GUBER_MEMBERLIST_SECRET_KEYS=eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=
       # TLS config
@@ -80,7 +80,7 @@ services:
       - GUBER_TLS_CERT=/etc/tls/gubernator.pem
       - GUBER_TLS_CLIENT_AUTH=require-and-verify
     ports:
-      - "9381:81"
-      - "9380:80"
+      - "1351:1051"
+      - "1350:1050"
     volumes:
       - ${PWD}/contrib/certs:/etc/tls