Skip to content

fix: make Docker images backward compatible with runAsUser: 1000 #8102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
buger merged 1 commit into from
Apr 20, 2026
+9 −2
Merged

fix: make Docker images backward compatible with runAsUser: 1000 #8102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,123 +176,127 @@
build-args: |
BUILD_PACKAGE_NAME=tyk-gateway-ee
BASE_IMAGE=tykio/dhi-busybox:1.37-fips
NONROOT_CHOWN=true
- name: Docker metadata for ee tag push
id: tag_metadata_ee
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: |
docker.tyk.io/tyk-gateway/tyk-gateway-ee
tykio/tyk-gateway-ee
flavor: |
latest=false
prefix=v
tags: |
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.title=Tyk Gateway Enterprise Edition
org.opencontainers.image.description=Tyk API Gateway Enterprise Edition written in Go, supporting REST, GraphQL, TCP and gRPC protocols
org.opencontainers.image.vendor=tyk.io
org.opencontainers.image.version=${{ github.ref_name }}
- name: push ee image to prod
if: ${{ matrix.golang_cross == '1.25-bullseye' }}
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: "dist"
platforms: linux/amd64,linux/arm64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
push: ${{ startsWith(github.ref, 'refs/tags') }}
tags: ${{ steps.tag_metadata_ee.outputs.tags }}
labels: ${{ steps.tag_metadata_ee.outputs.labels }}
build-args: |
BUILD_PACKAGE_NAME=tyk-gateway-ee
BASE_IMAGE=tykio/dhi-busybox:1.37-fips
NONROOT_CHOWN=true
- name: Attach base image VEX to ee
if: ${{ matrix.golang_cross == '1.25-bullseye' && startsWith(github.ref, 'refs/tags') }}
run: |
# Install Docker Scout CLI
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/v1.20.4/install.sh -o /tmp/scout-install.sh && sh /tmp/scout-install.sh 2>/dev/null
# Extract VEX from the DHI base image
docker scout vex get --org tykio -o /tmp/ee-vex.json tykio/dhi-busybox:1.37-fips || true
if [ -f /tmp/ee-vex.json ]; then
cosign attest --yes --type openvex \
--predicate /tmp/ee-vex.json \
docker.tyk.io/tyk-gateway/tyk-gateway-ee:${{ github.ref_name }} || true
cosign attest --yes --type openvex \
--predicate /tmp/ee-vex.json \
tykio/tyk-gateway-ee:${{ github.ref_name }} || true
fi
- name: Docker metadata for fips CI
id: ci_metadata_fips
if: ${{ matrix.golang_cross == '1.25-bullseye' }}
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: |
${{ steps.ecr.outputs.registry }}/tyk-fips
flavor: |
latest=false
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,format=long
type=semver,pattern={{major}},prefix=v
type=semver,pattern={{major}}.{{minor}},prefix=v
type=semver,pattern={{version}},prefix=v
- name: push fips image to CI
if: ${{ matrix.golang_cross == '1.25-bullseye' }}
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: "dist"
platforms: linux/amd64,linux/arm64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
push: true
cache-from: type=gha
cache-to: type=gha,mode=max
tags: ${{ steps.ci_metadata_fips.outputs.tags }}
labels: ${{ steps.ci_metadata_fips.outputs.labels }}
build-args: |
BUILD_PACKAGE_NAME=tyk-gateway-fips
BASE_IMAGE=tykio/dhi-busybox:1.37-fips
NONROOT_CHOWN=true
- name: Docker metadata for fips tag push
id: tag_metadata_fips
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: |
tykio/tyk-gateway-fips
flavor: |
latest=false
prefix=v
tags: |
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.title=Tyk Gateway Enterprise Edition FIPS
org.opencontainers.image.description=Tyk API Gateway Enterprise Edition written in Go, supporting REST, GraphQL, TCP and gRPC protocols Built with FIPS 140-3 compliant cryptography
org.opencontainers.image.vendor=tyk.io
org.opencontainers.image.version=${{ github.ref_name }}
- name: push fips image to prod
if: ${{ matrix.golang_cross == '1.25-bullseye' }}
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: "dist"
platforms: linux/amd64,linux/arm64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
push: ${{ startsWith(github.ref, 'refs/tags') }}
tags: ${{ steps.tag_metadata_fips.outputs.tags }}
labels: ${{ steps.tag_metadata_fips.outputs.labels }}
build-args: |

Check warning on line 296 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: quality

architecture Issue 

The build argument `NONROOT_CHOWN=true` is added in four separate but very similar jobs (`build-and-push-ee`, `build-and-push-ee-main`, `build-and-push-fips`, `build-and-push-fips-main`). This repetition, along with the overall similarity of the jobs, increases maintenance overhead. A change to the build arguments for these images needs to be applied in multiple places.
Raw output 
To improve maintainability and reduce redundancy, consider refactoring these jobs. Options include using a matrix strategy to run the same job with different parameters, or creating a reusable workflow (`workflow_call`) for the common build-and-push logic. As a smaller-scale improvement, YAML anchors could be used to deduplicate the common `build-args` block across the jobs.
BUILD_PACKAGE_NAME=tyk-gateway-fips
BASE_IMAGE=tykio/dhi-busybox:1.37-fips
NONROOT_CHOWN=true
- name: Attach base image VEX to fips
if: ${{ matrix.golang_cross == '1.25-bullseye' && startsWith(github.ref, 'refs/tags') }}
run: |
Expand Down
7 changes: 5 additions & 2 deletions ci/Dockerfile.distroless
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,14 @@

# The _ after the pkg name is to match tyk-gateway strictly and not tyk-gateway-fips (for example)
COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb /
RUN dpkg -i /${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb && rm /*.deb
ARG NONROOT_CHOWN=false
RUN dpkg -i /${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb && rm /*.deb \
&& chmod -R a+rX /opt/tyk-gateway/ \

Check warning on line 15 in ci/Dockerfile.distroless

View check run for this annotation

probelabs / Visor: security

security Issue 

The Dockerfile now makes all files in `/opt/tyk-gateway/` world-readable (`a+rX`) for all build types, including FIPS. For FIPS builds, which are intended to be more secure and run with a known non-root user (65532), this is an unnecessary relaxation of file permissions. This change weakens the security posture of the FIPS image by violating the principle of least privilege, as the files remain readable by any user, even after ownership is correctly set.
Raw output 
The permission-altering commands should be conditional. For FIPS builds (when `NONROOT_CHOWN` is true), only `chown` should be executed. For non-FIPS builds, `chmod` can be used to ensure compatibility with arbitrary user IDs. This prevents unnecessarily permissive files in security-hardened images.
&& if [ "$NONROOT_CHOWN" = "true" ]; then chown -R 65532:65532 /opt/tyk-gateway/; fi

Check warning on line 16 in ci/Dockerfile.distroless

View check run for this annotation

probelabs / Visor: performance

performance Issue 

The `RUN` command now includes `chmod -R` and a conditional `chown -R` on `/opt/tyk-gateway/`. These recursive file system operations can be slow if the directory contains a large number of files, potentially increasing the Docker image build time. For FIPS builds, this change results in two separate recursive traversals of the directory, which is inefficient compared to a single operation.
Raw output 
To optimize build time, consider setting the required file permissions and ownership within the `.deb` package itself. This would avoid running `chmod -R` and `chown -R` during every image build, moving the overhead to the packaging stage which is typically run less frequently.

Check failure on line 16 in ci/Dockerfile.distroless

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The `chown` command executed in the first (`deb`) stage of this multi-stage build is ineffective. The `COPY --from=deb` instruction in the final stage does not preserve file ownership from the source stage; it creates the files as `root` (UID 0) by default. As a result, the `NONROOT_CHOWN` build argument and the conditional `chown` logic do not achieve the stated goal of setting file ownership to `65532:65532` in FIPS/DHI builds. The files in the final image will be owned by `root:root` in all cases. This makes the conditional logic dead code and the Dockerfile misleading.
Raw output 
The `chmod -R a+rX` command correctly enables running the container with an arbitrary user ID. If `root` ownership in the final image is acceptable for all build variants, the simplest solution is to remove the conditional `chown` logic from the `RUN` command on line 16, and remove the `ARG NONROOT_CHOWN` declaration on line 13. Consequently, the `NONROOT_CHOWN` build arguments added in `.github/workflows/release.yml` should also be removed. If conditional ownership is a strict requirement, a different implementation strategy that correctly sets ownership in the final image is needed.

FROM ${BASE_IMAGE}

COPY --chown=65532:65532 --from=deb /opt/tyk-gateway /opt/tyk-gateway
COPY --from=deb /opt/tyk-gateway /opt/tyk-gateway

ARG PORTS
EXPOSE $PORTS
Expand Down
Loading