Unable to run docker image without ending up as root

[lucasgcbkhomp]

Hello,

I've been trying to run the eclipse-mosquitto:2 image and I've noticed it runs as root by default.

I've also noticed in the dockerfile a mosquitto user is created under group 1883. What is it being used for?

By swapping to the mosquitto user in a Dockerfile (USER mosquitto), I cannot use volumes properly because it is not part of the 1000 group for Linux users (for instance, when updating a dynamic-security.json record in a volume). Is this intended? Other images I know of group the user to 1000 to avoid this sort of problem.

What is the intended way to run as user? Are volumes meant to be disencouraged with this image?

Thanks.

[shantanoo-desai]

@lucasgcbkhomp You can set the container's username and group either via the command line during docker run ... or in docker-compose.yml file via user key.

[NorbertHeusser]

If the mosquitto broker is started as root it will read it's config file and by default do a priviledges drop by using a setuid call to switch to the mosquitto user. Or to the user specified in the mosquitto.conf file. This behavior is independent on running inside a docker container or running outside a container. So once the broker is started the userid inside the container is the mosquitto userid you noticed in the dockerfile. For a docker container the additional docker userid mapping may happen as well (dependent on you docker config).

[ralight]

In addition to the other points raised, the develop branch now also supports the PUID and PGID docker environment variables, so in 2.1 you will be able to choose the user and group it changes to more conveniently. I believe that means this issue is resolved, I'm trying to tidy resolved issues, so I'm going to close this. If you disagree, please feel free to reopen the issue and add more information.