docker icon indicating copy to clipboard operation
docker copied to clipboard

Published 20 hours ago verified publisher icon matomo-org

allow running as non-root

Open ibotty opened this issue 7 years ago • 7 comments

It would be great to run the container as non-root, preferably as random-non-root (via nss-wrapper). That's necessary for restricted kubernetes (e.g. openshift).

If you agree, I can provide a patch.

ibotty avatar Feb 20 '17 12:02 ibotty

agreed :)

On 20-02-2017 12:46, Tobias Florek wrote:

It would be great to run the container as non-root, preferably as random-non-root (via ld-wrapper). That's necessary for restricted kubernetes (e.g. openshift).

If you agree, I can provide a patch.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/piwik/docker-piwik/issues/55, or mute the thread https://github.com/notifications/unsubscribe-auth/ABxvHQIPTnJn58yBbCNXAyiMBVIRZJgMks5reYsagaJpZM4MGIjo.

-- I use PGP to protect our privacy, if you want to know more, you can follow this https://emailselfdefense.fsf.org/en/

If you have further questions, please do not hesitate to ask. You can verify my public key here: https://keybase.io/pierreozoux

pierreozoux avatar Feb 20 '17 13:02 pierreozoux

Hello all, was there any progress with this PR? It looks ready for merging :-) I am mostly just checking as I wanted to run the Apache version of piwik container on OpenShift v3 (www.openshift.com) and it failed at startup because it could not write to logs.

mkosek avatar Nov 16 '17 14:11 mkosek

I've built an alpine-based image for piwik, runs as user 1000 by default https://github.com/wodby/matomo, we run it in kubernetes with nginx

csandanov avatar Mar 23 '18 11:03 csandanov

I've been wondering if this is on the agenda?

superseacat avatar Jun 06 '18 17:06 superseacat

I'm not sure if this is necessary. See also the discussion here. Some images are using gosu, but this seems not be necessary all the time: https://github.com/tianon/gosu/#chroot

@tianon are there any best practices on this topic?

J0WI avatar Jun 10 '18 17:06 J0WI

I do think it is necessary. The original problem is still there and will not be going away. Using non-root uid is strictly more secure than using user namespaces, and that won't change in the near future.

ibotty avatar Jun 10 '18 17:06 ibotty

I think the contents of https://github.com/docker-library/docs/pull/1215 are probably relevant here -- I imagine given a volume with appropriate permissions for the user the container gets run as, this will mostly just work out of the box.

tianon avatar Jun 11 '18 21:06 tianon