Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow commands to run as root #631

Closed
tdiesler opened this issue Dec 1, 2016 · 5 comments
Closed

Allow commands to run as root #631

tdiesler opened this issue Dec 1, 2016 · 5 comments
Assignees
@tdiesler
Labels
feature
Milestone
1.0.0

Comments

@tdiesler
Copy link

tdiesler commented Dec 1, 2016

We have a user case where the wildfly base image does not run on openshift because the user 'jboss' is not in group 'root'

The generated Dockerfile should perhaps place the USER directive at the end and run entries and RUN commands as root.

I'll would provide a PR

CrossRef: wildfly-extras/wildfly-camel#1501
@tdiesler tdiesler added this to the 1.0.0 milestone Dec 1, 2016
@tdiesler tdiesler self-assigned this Dec 1, 2016
@rhuss
Copy link
Collaborator

rhuss commented Dec 1, 2016

Wouldn't it be also a solution (and maybe even the much better one), to fix the group issue in the base image as this is the recommended OpenShift practice anyway ?

@tdiesler
Copy link
Author

tdiesler commented Dec 1, 2016

They won't do that: jboss-dockerfiles/wildfly#47

Using a Dockerfile to build an image, I would have full control over the user running the commands. IMHO, its a limitation of the plugin that I cannot do that through config.

Reading the impl, here is a workaround that also works for me

<assembly>
    <basedir>/opt/jboss/wildfly</basedir>
    <descriptor>${project.basedir}/standalone/assembly-artifacts.xml</descriptor>
    <user>jboss:root:root</user>
</assembly>
<user>jboss</user>

Not sure if you intended the user thing to work like this. My PR uses the third part of the assembly user to set the user attribute (if not given) which would then be appended to the Dockerfile. It runs the cmds with the same user as used for chown, which would be root.

You may however have good reason to run the cmds less privileged, but the above config still seems awkward.

@rhuss
Copy link
Collaborator

rhuss commented Dec 1, 2016
edited
Loading

You are always free to use a Dockerfile (see config option dockerFileDir). There is one missing link to the assembly, this is tackled in #205 . But otherwise you are free todo what you want, e.g. you could refer directly into the target/ dir, too.

Of course with an XML based configuration like this you have less degrees of freedom, and have to decide on the order of directives upfront. That works fine for simple builds, which are usually the case.

My main point with the PR is, that it depends implicitly on the order of whether the assembly is ADDed first or the command are RUN. If this call is reversed here your fix will break. This could happen anytime (of course not without a good reason), and no one will ever remember this implicit connection to this fix anymore.

That's why I said is to make it more explicit by moving this user around than sharing it over a member variable.

@tdiesler
Copy link
Author

tdiesler commented Dec 2, 2016
edited
Loading

In a perfect world IMHO, there would be no duplication (and perhaps conflicting) config of run user and an explicit config for runCmd user.

Still, this may perhaps be over engineered. What is a good reason to not always run the cmds as root? The duplication of run user config is problematic, but can likely not be resolved without breaking compatibility.

@tdiesler
Copy link
Author

tdiesler commented Dec 9, 2022

out-of-date

@tdiesler tdiesler closed this as completed Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tdiesler tdiesler

Labels
feature
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
2 participants
@rhuss @tdiesler