[BUGFIX] Fix for docker(-compose) to allow the app to be run as a regular user. #1286
Conversation
|
While this is certainly one way to handle rootles container or containers that run as non root account due to CLI params (i.e. What I mean by that is that most of the entrypoint script could be made obsolete and to simply create a user+group during the container build and ensure that the
I know this works, since I ended up building a custom image that uses the recomendation from the docs as well as what Nginx uses for their unpribileged container to test However, the question remains if this would be the 'better' way or to keep the entrypoint script and use the fix proposed by this PR. Either way, these are just my two cents to the matter that came up when I saw that you where faster than me to propose changes 🙂 |
You are probably right. My changes are fairly "quick 'n dirty" because I didn't have too much time on my hands to fully dive into what his entrypoint is doing and why. And since I suck in anything node/js related I figured it just might be a requirement for some node stuff, hence I did not investigate any further. So I've edited the script to run as it was when running as root, and like this when it gets invoked as a normal user. The main reason I proposed these changes is because it created an - as far as I've tested - fully working/functioning uptime-kuma while running as a normal user. Said user would then be given in the docker cli command or the docker-compose file. That gives the user more control over as which user the container runs. So in the end I think both solutions could be fine to achieve the goal - though I do agree that I already had a feeling that most of the entrypoint's script lines might be obsolete. (But again - since I've got 0 experience in NodeJS I didn't research it) |
|
from what I can tell the scrip has nothing NodeJS specific. At least that is what I could gather from it :) Regardless, all I wanted to do is throw in the comment and open a discussion which way is the preferable one. Either works since even if you where to create a user within the container build and run by default as that a user could still use the container runtime CLI (Docker, Podman, ...) to overwrite the user and group the container will run as would then lead to the NodeJS process to run as those ids. There is only one instance where I am not 100% certain how it would react, if a user where to use a docker volume to mount on a pre-created |
I tested that last scenario. In the case a user has a On a sidenote: There's no real use-case to chmod a folder like that to 777 as it brings security implications. |
|
Thanks for testing my assumed edge case 😅 I like the idea of giving the entrypoint script the porous of a environment checker and presenting the directions to fix possible issues (i.e. legacy permissions or plain wrong bind mount perms). |
I've altered the script to (attempt) to work around this edge-case. If it fails it'll exit with an error message instructing on how to resolve the problem. |
extra/entrypoint.sh
Outdated
| # -c Like verbose but report only when a change is made | ||
| chown -hRc "$PUID":"$PGID" /app/data | ||
| # Check if the /app/data folder is owned by the user invoking the container | ||
| if [ $(stat -c%u /app/data) != $(id -u) ]; then |
There was a problem hiding this comment.
It would be great to have /app/data in variable (used 9 times here)
Co-authored-by: Adam Stachowicz <saibamenppl@gmail.com>
Co-authored-by: Adam Stachowicz <saibamenppl@gmail.com>
Co-authored-by: Adam Stachowicz <saibamenppl@gmail.com>
Co-authored-by: Adam Stachowicz <saibamenppl@gmail.com>
Co-authored-by: Adam Stachowicz <saibamenppl@gmail.com>
Co-authored-by: Adam Stachowicz <saibamenppl@gmail.com>
|
@Saibamen Thank you for your feedback and approval! :) |
|
@justSem Doesn't running as a regular user break the ability of sending pings? I remember a long time ago someone else tried this and it broke the Docker image. |
No, ping isn't a privileged unix process. Edit: could you reference the issue that would break ping? I'm curious |
|
While I don't run this script yet, I have Uptime-Kuma deployed in the *I built my own image with a slightly altered version of this script though, since the |
|
@k3rnelpan1c-dev could you share your script? Getting Kuma running on Openshift and with a persistent Volume is now as easy as it should be :-o |
Hi, could you please share the info necessary running this in OpenShift? |
|
For those curious, yes I will share my config for OCP in a new issue, for the rest sorry to have disrupted the PR topic by my comment unexpectedly 😅 Edit: So done, hope everyone curious for OpenShift can find what they are looking for in #1531 |
|
When are you gonne merge this? :-) |
|
This would solve my problem of not having root access to my fs! |
|
@justSem: I don't have write permissions |
|
@louislam may someone merge this it would be really helpful ! Thank you ! |
|
Bump. @louislam can we please get this into the next release? |
|
Bumping again and pinging @louislam |
|
@louislam any change this could come in a release? |
|
Obsolete by #4052. |
Description
Fixes #857 and #694
Due to the calling of
setprivas an regular user and some weird env variable stuff which seemed set wrongly to me the application couldn't be launched in docker as a non-root user.(And really, an application like this shouldn't run as root as it simply doesn't need it)
The proposed fix properly sets the environment variables reflecting the actual UID and GID and asseses this before launching.
Type of change
Checklist
Screenshots (if any)
Please do not use any external image service. Instead, just paste in or drag and drop the image here, and it will be uploaded automatically.