Arthur Barr

This has been discussed with the development team, and we'd appreciate some more information on why the `com.ibm.mq.jakarta.connector.jar` file needs to be available as a separate download. It’s designed to...

Thank you for the quick reply, and for raising the official idea. The development team will be reviewing this.

From MQ 9.2.5, the container samples and any pre-built images do not allow OS (Linux/PAM) users at all. See [Security constraints on the use of operating system users in containers](https://www.ibm.com/docs/en/ibm-mq/9.4.x?topic=uaamic-security-constraints-use-operating-system-users-in-containers)....

All pre-built images from IBM are built from the same code, which doesn't allow OS users. This is a security measure, as OS users in multi-tenant container environments can pose...

All the files in the container image have permissions granted to GID 0. You can use whatever UID you wish, but you have to use that GID. The normal approach...

The container code assumes that the user for the container is always in group ID 0. It looks like you've set the UID to 200 and the GID to 200....

MQ uses GID 0, because that's what's recommended by Red Hat when running in OpenShift Container Platform. See [Does a containerized process running with a group ID of 0 present...

Try running with the `DEBUG` environment variable set to `true`, and you'll see some more information, including file permissions on the mounted storage.

Thanks @chughts. @RamSubbarao could you please update this doc? Relevant link confirming that Docker Compose can also be used: https://docs.docker.com/compose/how-tos/use-secrets/

@chughts why do you suggest that creating the secret via an environment variable would be an improvement? The reason we're moving away from environment variables in the first place, is...