oxidized Docker container cannot run as non-root user

When creating a non-root user and specifying that user in the docker-compose.yml, the image cannot start:

ives@Hostname[ ~/oxidized ]$ docker compose up [+] Running 1/0 ⠿ Container oxidized-oxidized-1 Recreated 0.0s Attaching to oxidized-oxidized-1 oxidized-oxidized-1 | *** Killing all processes... oxidized-oxidized-1 | Traceback (most recent call last): oxidized-oxidized-1 | File "/sbin/my_init", line 414, in oxidized-oxidized-1 | main(args) oxidized-oxidized-1 | File "/sbin/my_init", line 330, in main oxidized-oxidized-1 | import_envvars(False, False) oxidized-oxidized-1 | File "/sbin/my_init", line 90, in import_envvars oxidized-oxidized-1 | for envfile in listdir("/etc/container_environment"): oxidized-oxidized-1 | File "/sbin/my_init", line 74, in listdir oxidized-oxidized-1 | return sorted(os.listdir(path)) oxidized-oxidized-1 | PermissionError: [Errno 13] Permission denied: '/etc/container_environment' oxidized-oxidized-1 exited with code 1 oxidized-oxidized-1 | *** Killing all processes... oxidized-oxidized-1 | Traceback (most recent call last): oxidized-oxidized-1 | File "/sbin/my_init", line 414, in oxidized-oxidized-1 | main(args) oxidized-oxidized-1 | File "/sbin/my_init", line 330, in main oxidized-oxidized-1 | import_envvars(False, False) oxidized-oxidized-1 | File "/sbin/my_init", line 90, in import_envvars oxidized-oxidized-1 | for envfile in listdir("/etc/container_environment"): oxidized-oxidized-1 | File "/sbin/my_init", line 74, in listdir oxidized-oxidized-1 | return sorted(os.listdir(path)) oxidized-oxidized-1 | PermissionError: [Errno 13] Permission denied: '/etc/container_environment' oxidized-oxidized-1 exited with code 1 oxidized-oxidized-1 | *** Killing all processes... oxidized-oxidized-1 | Traceback (most recent call last): oxidized-oxidized-1 | File "/sbin/my_init", line 414, in oxidized-oxidized-1 | main(args) oxidized-oxidized-1 | File "/sbin/my_init", line 330, in main oxidized-oxidized-1 | import_envvars(False, False) oxidized-oxidized-1 | File "/sbin/my_init", line 90, in import_envvars oxidized-oxidized-1 | for envfile in listdir("/etc/container_environment"): oxidized-oxidized-1 | File "/sbin/my_init", line 74, in listdir oxidized-oxidized-1 | return sorted(os.listdir(path)) oxidized-oxidized-1 | PermissionError: [Errno 13] Permission denied: '/etc/container_environment'

Aug 14 '22 18:08 Ivesvdf

Inside the .runit file which seems to be responsible for executing the user-level stuff is stated the following

!/bin/bash

exec setuser root oxidized

So it seems like the docker container was not designed to run as a non-root user. At the same time, the main readme file states

It is recommended not to run Oxidized as root.

Both are in stark contrast. Even if it is within a container containers are not known for being difficult to break out of, especially if you have root within the container.

Aug 16 '22 09:08 Ivesvdf

Hey @Ivesvdf probably my solution is worth checking https://github.com/agrevtcev/oxidized/tree/run_oxidized_non_root

Br, Alex

Nov 10 '22 10:11 agrevtcev

Thanks, added it to my setup.

For a permanent solution in the repo it would probably be best to propagate which userid and groupid to use from some environment variables on the host system.

Nov 10 '22 12:11 Ivesvdf

@Ivesvdf i've made small change to parameterize UID and GID on container build. Is it what you propose?

Nov 10 '22 14:11 agrevtcev

Exactly yes.

Nov 10 '22 14:11 Ivesvdf

So here it is

Nov 10 '22 14:11 agrevtcev

https://github.com/ytti/oxidized/pull/2657

Nov 10 '22 14:11 agrevtcev