New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run/Install Harbor as non-root user #17494
Comments
https://docs.docker.com/engine/install/linux-postinstall/ |
Same problem. $ cat docker-compose.yml | grep env_file -A1
env_file:
- ./common/config/registryctl/env
--
env_file:
- ./common/config/db/env
--
env_file:
- ./common/config/core/env
--
env_file:
- ./common/config/jobservice/env
--
env_file:
- ./common/config/exporter/env
$ ls -Al common/config/*/env
-rw-r----- 1 root root 1807 Sep 15 12:22 common/config/core/env
-rw-r----- 1 root root 25 Sep 15 12:22 common/config/db/env
-rw-r----- 1 root root 759 Sep 15 12:22 common/config/exporter/env
-rw-r----- 1 root root 585 Sep 15 12:22 common/config/jobservice/env
-rw-r----- 1 root root 64 Sep 15 12:22 common/config/registryctl/env |
Yes, I strongly encourage the maintainers to provide Harbor images and a setup which does not run the containers as root. |
Hi @MinerYang and @wy65701436! Thanks! |
I am using v2.6.0 and tried to install it with the installation-script (docker-compose). I also cant run it with a specific harbor-user and would be interested into running it without root. Thanks a lot |
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days. |
This shouldn't be stale, as the question of @AlexBarth13 was never answered. |
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days. |
Hi @reasonerjt, @steven-zou - maybe in your roles as tech lead and chief architects of Harbor could give an advisory to the community or to @stonezdj how to best handle. I think running containers as root without a real requirement for it is a security flaw that counter strikes the ideas of k8s deployments. |
Just got the same issue here with Harbor 2.8.0. Please give us the possibility to use a non-root user or a detailed instruction how to change it afterwards. |
I find the problem pretty strange. Why does harbor need root user?
|
Instead of mounting the docker socket you could simply add the non-root user to the docker group. |
This is not the problem with the rights to execute docker, the problem is, that the prepare container from harbor runs as root (which containers do). So that the following tries to access docker-compose.yml or configs in common dir will fail if you are not root.
So in this situation you are kinda stuck and you would still need root / docker to work around the permissions issue. |
Funnier again, the files inside of config have different ownership:
So again, chowning everything here would probably break portal, and jobservice... |
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days. |
@wy65701436 any hints on when someone may find some time to look at this? This seems like an issue that requires attention however community didn't see any comment in over a year now. |
Following for (hopeful) updates. |
Harbor v2.7.3, we also faced with this issue. Taking into account that running container as root user definitely isn't the best way to deploy services, that's very strange that no solution for this issue is provided. Also, running "docker-compose" command under "root" user leads to another problem - you have to manually run "docker-compose up ..." after machine reboot since most of project containers are not able to start |
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days. |
Hi @MinerYang and @wy65701436 Is there anything that could be contributed? Any hint into the right direction would be appreciated. |
@cdm-arm I'm using Bitnami's release of rootless Harbor. It's less than ideal as their documentation is weak if you're not running it on AWS or K8s. But I got it working on a bare RHEL 8 box. |
It has been so many years now, but this issue is still active and has not been fixed. o(╥﹏╥)o |
I think I found a solution. I executed the following commands during the installation (my non-root user is named docker_user): As root user: - wget https://github.com/goharbor/harbor/releases/download/v2.10.0/harbor-online-installer-v2.10.0.tgz
- tar xzvf harbor-online-installer-v2.10.0.tgz
- docker run -v /:/hostfs goharbor/prepare:v2.10.0 gencert -p /path/to/internal/tls/cert
- ./install.sh --with-trivy
- docker compose down
- cd ..
- chown -R docker_user:docker_user harbor Then I ran the installation again as non-root (in this step, the permissions are partially adjusted correctly): - ./install.sh --with-trivy Then I had to adjust the permissions for various env files (as root): - chown docker_user:docker_user common/config/jobservice/env
- chown docker_user:docker_user common/config/db/env
- chown docker_user:docker_user common/config/registryctl/env
- chown docker_user:docker_user common/config/trivy-adapter/env
- chown docker_user:docker_user common/config/core/env I was then able to start the container as docker_user: - docker compose up -d |
Hi all, There's 2 main reason that we are not set harbor offline-installation ruining as non-root.
Thus we are not now have no plans to enable running offline-installer as non-root officially. Instead you could choose to use harbor-helm to get rid of this concern. |
Thanks for (finally 🙃) explaining that! I think this information could use a proper place in documentation somewhere. |
Bitnami managed it. We're running their version now. I like @Suppi123 's solution too. I would have tried that if I hadn't already got Bitnami to work. |
I also found out about the Bitnami image recently and will use it in the future. non-root containers are possible and we like them more here. |
harbor-helm also running as non-root |
@ngoeddel-openi and @dlewis7444 are you running on Kubernetes or docker host with docker-compose? |
We run it with |
Same - although podman not docker. |
Hi all,
We are using Harbor v2.5.0 in Docker Container on a Linux Virtual Machine.
During some tests, we noticed that those Containers have to run as root users. If we were trying to start them as non-root users, we had the following issue:
Are there any plans to change this in the future to increase security?
Thank you in advance!
Alexander Barth (alexander.barth@mercedes-benz.com) on behalf of Mercedes-Benz Tech Innovation GmbH, Provider Information
The text was updated successfully, but these errors were encountered: