openhab-docker icon indicating copy to clipboard operation
openhab-docker copied to clipboard

Published 20 hours ago verified publisher icon openhab

Allow running as non-root

Open ibotty opened this issue 3 years ago • 5 comments

It is possible to run OpenHAB without being root. You will have to jump through some hoops to do so though. It would be great not to have to do that.

Would you consider a pull request adding the option to run the image as a different uid?

ibotty avatar Feb 17 '21 11:02 ibotty

It already runs openHAB as a non root "openhab" user that you can specify using the USER_ID and GROUP_ID env vars.

See: https://github.com/openhab/openhab-docker#environment-variables

wborn avatar Feb 17 '21 12:02 wborn

That's not entirely correct:

++ test -t 0
++ echo true
+ interactive=true
+ set -euo pipefail
+ IFS='
        '
+ '[' limited = unlimited ']'
+ rm -f /openhab/runtime/instances/instance.properties
+ rm -f /openhab/userdata/tmp/instances/instance.properties
+ NEW_USER_ID=3f1e5ad9-5389-4eba-92c7-cde61560f459
+ NEW_GROUP_ID=0
+ echo 'Starting with openhab user id: 3f1e5ad9-5389-4eba-92c7-cde61560f459 and group id: 0'
Starting with openhab user id: 3f1e5ad9-5389-4eba-92c7-cde61560f459 and group id: 0
+ id -u openhab
++ getent group 0
+ '[' -z root:x:0: ']'
++ getent group 0
++ cut -d: -f1
+ group_name=root
+ echo 'Rename group root to openhab'
Rename group root to openhab
+ groupmod --new-name openhab root
groupmod: Permission denied.
groupmod: cannot lock /etc/group; try again later.

This can be worked around with some effort. Also the (version-) update script hardcodes a check for uid 0.

ibotty avatar Feb 17 '21 13:02 ibotty

Yes it does some initial setup as "root" so users can use a custom UID/GID for the "openhab" user, e.g. so it matches those of a user on the host. Afterwards it uses gosu to run openHAB as "openhab". Would you like to skip that setup part when running as non-root user? It probably already has sufficient permissions to do the upgrade as "openhab" user.

wborn avatar Feb 17 '21 15:02 wborn

Yes. That's what I mean. In some environments running as non-root is required. The image is generally suitable for that but not quiet.

I propose to skip this setup (in the entrypoint) when not running as root. In the upgrade skript I would simply warn that it's not running as root or simply drop the check altogether.

ibotty avatar Feb 17 '21 15:02 ibotty

Yes that makes sense to also support such a setup for users who prefer the extra security over customizing UID/GIDs. Skipping the chown command in that case will make the container also start a lot faster on SBCs with slow storage.

wborn avatar Feb 18 '21 09:02 wborn