Stirling-Tools
No documentation on how to run Stirling-PDF as non-root in a docker container
I don't see any description anywhere for how to run Stirling-PDF as non-root. Can someone please provide some pointers there? I tried the normal - user: "1234:1234" in docker-compose and a few combinations of dropping volumes while accepting to lose features, but none of that works.
Can you please add something to docs on this? There are security implications to running everything as root, especially in a system where files can be uploaded to a server.
Trying to consider if i want to do
- user: "1234:1234"
or have it like
- PUID=1234
- PGID=1234
- UMASK=022
what are your thoughts?
Whichever works for you. I have no preference. The most important thing is to have all processes run as non-root out of the box.
Trying to consider if i want to do
- user: "1234:1234"
or have it like
- PUID=1234
- PGID=1234
- UMASK=022
what are your thoughts?
Much prefer the environment variables myself. Great to see you asking the users what they would like.
Hey, just going to leave some notes!
Using PUID and PGID means that the container have to run as root and then drop privileges to the specified PUID/PGID.
While using the user directive, the whole container runs as the specified user.
In a lot of kubernetes clusters, the only viable solution is the second, as there are policies completely blocking running any workload as root. And also this is the "recommended/best practive" way.
I'd really prefer the user directive, of course I don't "expect" this to happen, but just leaving me "preference" here!
Thanks
Hi folks, first thanks for the efforts in getting this set up so we can run it as non-root users.
I've just tried to do it very briefly and I seem to get the following errors in the logs. I have a pretty simple config - a non-root user called stirling (UID/GID 1002). I've done
export PUID=1002 export PGID=1002 export UMASK=022
Invoking it like:
docker run -d -p 8080:8080 -v ./trainingData:/usr/share/tesseract-ocr/5/tessdata -v ./extraConfigs:/configs -v ./logs:/logs -e DOCKER_ENABLE_SECURITY=true --name stirling-pdf frooodle/s-pdf:latest
Copying original files without overwriting existing files /scripts/init.sh: line 19: usermod: command not found id: unknown user stirlingpdfgroup /scripts/init.sh: line 23: groupmod: command not found Setting permissions and ownership for necessary directories... Running Stirling PDF with DOCKER_ENABLE_SECURITY=true and VERSION_TAG=0.22.0 Trying to download from: https://github.com/Stirling-Tools/Stirling-PDF/releases/download/v0.22.0/Stirling-PDF-with-login.jar % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 106M 100 106M 0 0 74.3M 0 0:00:01 0:00:01 --:--:-- 119M Picked up JAVA_TOOL_OPTIONS: -XX:MaxRAMPercentage=75
... usual startup stuff
The server starts OK as expected, but I don't see any processes running as the stirling user if I do ps auxwww (not a Docker expert so not sure if I would normally here).
Just wanted to flag those errors relating to the /scripts/init.sh calls in case they are relevant.
Thanks
@Frooodle : OK, the errors are gone and it's successfully running - but it seems to have started with the wrong UID?
I have started with PUID/PGID = 1002, which is a new user I created called stirling. But when I look in ps, I see the java process running under the username of UID 1000.
I couldn't figure out how it loaded at all at first (I have TLS certs in the same directory), but I see it has also chown'ed the extraConfigs and logs directory away from the stirling user to my UID 1000 user, so it can access them.
It's possible I have done something with in the setting of the environment variables here - if I type 'set | grep -E 'P(G|U)ID'` I get:
PGID=1002
PUID=1002
.. and I've confirmed in my /etc/passwd & /etc/group files that the stirling UID is definitely 1002. So I'm a bit confused here!
edit: just saw this PR, where I can see the UID/GID are hardcoded in the Dockerfile to be 1000, which I guess might be the cause? https://github.com/Stirling-Tools/Stirling-PDF/pull/883/commits/70bbcf1f7e159b74e48840c2087fd784a5e543d8
@Frooodle : OK, the errors are gone and it's successfully running - but it seems to have started with the wrong UID?
I have started with PUID/PGID = 1002, which is a new user I created called
stirling. But when I look inps, I see the java process running under the username of UID 1000.I couldn't figure out how it loaded at all at first (I have TLS certs in the same directory), but I see it has also chown'ed the extraConfigs and logs directory away from the
stirlinguser to my UID 1000 user, so it can access them.It's possible I have done something with in the setting of the environment variables here - if I type 'set | grep -E 'P(G|U)ID'` I get:
PGID=1002 PUID=1002.. and I've confirmed in my /etc/passwd & /etc/group files that the
stirlingUID is definitely 1002. So I'm a bit confused here!edit: just saw this PR, where I can see the UID/GID are hardcoded in the Dockerfile to be 1000, which I guess might be the cause? https://github.com/Stirling-Tools/Stirling-PDF/pull/883/commits/70bbcf1f7e159b74e48840c2087fd784a5e543d8
Those values are just there to be overridden by the user If a user sets a docker env it should replace those That value is just the default
Woops, sorry, of course - I forgot Docker doesn't just inherit the current environment variables but they need to be specified.
Looks like it's working now - I can see the java process running under the correct UID. Thanks for the prompt fix & replies!
I'm sorry, is this now solved? I still don't see documentation to run this in docker as non-root.