Skip to content

Refactor Alcove dev container to run rootless#361

Merged
bmbouter merged 2 commits intomainfrom
rootless-alcove-dev-container
Apr 21, 2026
Merged

Refactor Alcove dev container to run rootless#361
bmbouter merged 2 commits intomainfrom
rootless-alcove-dev-container

Conversation

@bmbouter
Copy link
Copy Markdown
Owner

@bmbouter bmbouter commented Apr 21, 2026

Summary

Refactors build/Containerfile.dev to run entirely as non-root user (UID 1001), making the Alcove dev container compatible with OpenShift's restricted-v2 SCC and Kubernetes runAsNonRoot: true security contexts.

Changes

build/Containerfile.dev:

  • Creates alcove user/group (UID/GID 1001)
  • PostgreSQL initialized and run as UID 1001 (not postgres) — PostgreSQL only requires PGDATA ownership
  • All runtime dirs (/var/lib/postgresql, /var/run/postgresql, /workspace, /run/s6) owned by 1001
  • S6_READ_ONLY_ROOT=1 — tells s6-overlay to use /run for state instead of /
  • Final USER 1001 — container runs as non-root by default
  • s6-overlay v3 supports running as non-root natively

build/s6-services/postgres/run:

  • Removed su postgres -c wrapper — postgres runs directly as the container user

Why

The Alcove dev container uses s6-overlay to manage PostgreSQL, NATS, and the shim binary. Previously it ran as root, which fails on OpenShift where restricted-v2 SCC enforces runAsNonRoot: true. This matches the same rootless pattern applied to the pulp dev container in pulp/pulp-service#1075.

Verified locally

  • All services start as UID 1001 (zero root processes)
  • Shim healthz responds OK
  • PostgreSQL accepts connections
  • NATS responds on monitoring port
  • go test ./... passes (no Go code changed)

Test plan

  • CI passes (dev-container-tests job builds and tests the image)
  • All existing unit and functional tests unaffected

bmbouter and others added 2 commits April 21, 2026 13:02
@bmbouter @claude
Refactor dev container to run rootless for OpenShift restricted-v2 SCC
ad2a108 
Replace root-based process execution with a dedicated alcove user (UID 1001).
PostgreSQL initdb and all s6 services now run as non-root, enabling the container
to pass OpenShift's runAsNonRoot enforcement without privilege escalation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bmbouter @claude
fix: ensure /run/s6 is writable for rootless s6-overlay
c0ebc03 
s6-overlay needs to create runtime state under /run/s6/ but /run is
root-owned. Pre-create and chown to UID 1001 at build time.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the awaiting-review CI passed, PR ready for reviewer agent label Apr 21, 2026
@bmbouter bmbouter merged commit 7180fac into main Apr 21, 2026
10 checks passed
@bmbouter bmbouter deleted the rootless-alcove-dev-container branch April 21, 2026 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting-review CI passed, PR ready for reviewer agent

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bmbouter