-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run the Seafile server with user other than root #86
Comments
This is more or less a duplicate of #22, which isn't resolved at all. With a custom user specified via docker, start up fails with this exception:
|
This is inherited from phusion/baseimage-docker#264 Looks like my_init being used requires root privileges. It should be configured to start Seafile as seafile, though. |
I tried to implement this for a second, but somehow start up stopped at some point and then I gave up on this. |
You don't need to run all processes as an unprivileged user, just the seafile components (the setup script, seahub.sh, seafile.sh, sf-gc.sh, etc.). Things like mariadb and nginx can run as root because they manage those privileges correctly and fork when needed. The seafile components are ment to be run as unprivileged. |
Maybe the easiest would be to add a seafile user and run start.py using su seafile -c "/scripts/start.py" https://github.com/haiwen/seafile-docker/blob/master/image/seafile/Dockerfile#L18 GC and so on could then be run using Just changing this would lead to an issue though: existing setups would have broken permissions (and some paths need new permissions anyway to make this work). Fixing permissions on start could be an option but doing it naively would take quite some time for larger setups with millions of files. The best would be if user scripts would also deny running them without using the seafile user within the docker container. |
I don't think this should be enforced, but optional. UID and GID variables can be passed to the container intead of hardcoring one, if those are not set then the seafile components should be just run as root |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This has not been resolved so don't close it |
Is this possible with Seafile 7? This Issue is the only Thing blocking me from using Seafile on Docker. |
@Lordroran I doubt it, the nginx server still runs on the container |
We think that the nginx direction proxy is a component we must rely on, it is necessary to put it in the same container. |
@renfeipeng This is not about nginx running as root, the problem is having seafile and seahub running as root. Even starting them using |
@renfeipeng Why is this closed considering the previous comment? |
Problem is still present with seafile 7 image. |
I was able to get this to work with the following configuration: docker-compose.yml seafile:
image: docker.seadrive.org/seafileltd/seafile-pro-mc:latest
entrypoint: /usr/local/bin/entrypoint.sh
volumes:
- type: bind
source: /etc/localtime
target: /etc/localtime
read_only: true
- type: bind
source: ./entrypoint.sh
target: /usr/local/bin/entrypoint.sh
read_only: true
- type: bind
source: ./gosu
target: /usr/local/bin/gosu
read_only: true
- type: bind
source: ./seafile
target: /shared
read_only: false entrypoint.sh #!/bin/bash
addgroup --gid 988 seafile
useradd -s /bin/bash -u 1000 -m -d /home/seafile -g seafile -k /dev/null seafile
chown seafile:seafile /opt/seafile
sed -i 's!{} start!/usr/local/bin/gosu seafile:seafile {} start!g' /scripts/start.py
/sbin/my_init -- /scripts/start.py gosu was downloaded from https://github.com/tianon/gosu/releases Update the uid and gid in the entrypoint.sh script as required. Don't forget to set the mounted "/shared/seafile" folder to be owned by the same uid:gid. |
To improve upon @techmunk's excellent solution, it's possible to bake it into the image; among other things, this allows the container to be restarted without exploding:
The last line is only relevant if you want/need to rename the memcached host in your setup. |
My experienceI've also tried to run the Seafile server and SeaHub as non-privileged user using a custom Dockerfile similar to the one @lowne posted (using Long story short: I ended up running the Seafile server as Optimal solutionEven though the seafileltd/seafile-mc Docker image is a great improvement through the decoupling of the database and cache into their own containers, in my opinion the only way would be to split the stack even more by getting rid of running multiple processes in a single Docker container like e.g. Better way to handle “hardcoded“ memcached network name/aliasThis is a bit unrelated to the main topic of this issues, but I thought it might help others that stumble across here.
This “fix“ works when using a custom Dockerfile but might be a blocker again for other who don't want or can do it and need another way. I've tried to “fix“ this by simply following the official Seafile documentations about how to add memcached, but for some reason the version: "3.7"
services:
seafile:
image: seafileltd/seafile-mc:7.1.4
networks:
- seafile-net
# ...
seafile-db:
image: mariadb:10.5.4
networks:
- seafile-net
# ...
seafile-cache:
image: memcached:1.6.6
networks:
seafile-net:
aliases:
# Make this service available through the "memcached" alias.
# This is required since the name is hardcoded in the SeaHub source code and configurations in
# the "seahub_settings.py" are not respected.
# See:
# - https://github.com/haiwen/seafile-docker/blob/55930f2/scripts/bootstrap.py#L154
# - https://github.com/haiwen/seafile-docker/issues/86#issuecomment-670362046
# - https://docs.docker.com/compose/compose-file/#aliases
- memcached
# ... This way my memcached container is reachable for all other containers in the |
Is this problem solved? |
@bryanc12 not solved as of right now |
Is this improvement on the worklist anytime soon? |
I'm at the point where I need to migrate my Rocky Linux installation because centOS support ist dropped now. I wanted to use docker, but this is holding me back. I don't know why "productive" containers with root still exist? I can find articles even from 2017 that say, that containers with root are not a good idea ;). Is there anything on the roadmap to fix this? Thanks in advance. |
Are there any new on this? |
Trying to build my own docker image using SQLite, I found that there is a non-documented environment variable |
Excuse me but I think that you and some other users in this thread are misunderstanding a couple of things here. The root user inside the container does not equal the host root user. The container runtime controls root access to the host system with so called capabilities. If those are not set, the users inside the container have no root access on the host. What you probably read about is running the container runtime itself as non-root user, also called rootless. Docker has introduced this as experimental feature and there are runtimes, like CRI-O, which run rootless by default. |
@ggogel I think some of us are just tired of getting files owned by root (the host root) on the host side. It's very hard to backup or migrate those files. |
@JokerQyou As I already explained in my repository, the only proper solution for this is running a rootless container runtime, which solves the problem at the root. Pun not intended. Otherwise you'll just end up trying to find workarounds for each and every deployment. |
Since version 10, Seafile docker can be run with non root user: https://manual.seafile.com/docker/deploy_seafile_with_docker/#run-seafile-as-non-root-user-inside-docker Feedbacks are welcome. |
Why is there a limitation that the rootless user must be called |
We think making the user changable adding unnecessary complexity to the Seafile docker. We don't have a plan to support it. |
I've tried using the solution described in the Seafile documentation. However, it isn't practical for any realistic number of files, since it does a chown recursively for everything, every time the container starts. |
I've switched to using seafile-containerized since as it seems more polished (bundling nginx inside another image seems questionable) and I've had no issues running it under podman rootlessly. Would be nice to see the official images get more improvements though |
To facilitate migration from the native environment where seafile ran as a regular user (other than root). The server can then run under UID of the user that owned the server files previously.
I suppose this can also be taken advantage of by more paranoid users that don't like WWW services to be unnecessarily run as root, even on containers.
The text was updated successfully, but these errors were encountered: