You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One of the things that can increase security of the CKAN images/containers is to have a non-root user own all files and directories that are part of the application. Also to have another non-root user run the CKAN processes
For CKAN 2.10, 2.11 and master images (base and dev)
User: ckan-sys (id=502)- owns the files/directories that are part of the application and supporting libraries
User: ckan (id=503) - runs the application processes, owns files and directories it needs write access to
The primary group for the ckan-sys and ckan users is ckan-sys (id=503) - this is so if more granular write access for both users is needed in the future then this group could be used to do that
The following directories/file are required to be owned by the ckan-sys and ckan user:
One of the things that can increase security of the CKAN images/containers is to have a non-root user own all files and directories that are part of the application. Also to have another non-root user run the CKAN processes
This will be part the work on enhancements for a more production like environment
Repo: ckan-docker-base
For CKAN 2.10, 2.11 and master images (base and dev)
User: ckan-sys (id=502)- owns the files/directories that are part of the application and supporting libraries
User: ckan (id=503) - runs the application processes, owns files and directories it needs write access to
The primary group for the
ckan-sys
andckan
users isckan-sys
(id=503) - this is so if more granular write access for both users is needed in the future then this group could be used to do thatThe following directories/file are required to be owned by the
ckan-sys
andckan
user:ckan-sys
/srv/app/*
/docker-entrypoint.d/*
/usr/local/*
ckan
/srv/app/ckan.ini
/srv/app/src/*
/var/lib/ckan/*
/srv/app/src_extensions/
(for Development)Repo: ckan-docker
The following directories/file are required to be owned by the ckan-sys user:
ckan-sys
/docker-entrypoint.d/
/srv/app/patches/*
The text was updated successfully, but these errors were encountered: