Be able to set UID and GID in Docker rootless image

[maxwai]

What is the problem you are trying to solve with this feature?

Currently the rootless image forces a uid and gid to use.
A better approach is letting the user choose the uid and gid so that the owners of files on the mapped volumes are consistent with the host filesystem.

What is the solution you are proposing?

A good solution that works well is setting environment variables that will then run allow the run script to be run as any user wanted. And if these are not given, default values will be used. This is the way LinuxServer.io does it with their images, as explained here.

This also eliminates the need for separate rootless and root image since the image can run rootless if the environment variables are given and as root if they are not given

What alternatives have you considered?

No response

Additional context

Here is an example how LinuxServer.io does it, of course this would be needed to be changed to work with this application.

Contributions

• I have searched through existing issues and feature requests to see if my idea has already been proposed.
• If this feature is accepted, I would be willing to help implement and maintain this feature.
• If this feature is accepted, I'm willing to sponsor the development of this feature.

[brhahlen]

Yes, this would be great

[maxwai]

Bumping this to get Feedback if I can go ahead and implement this.

[hay-kot]

Sorry for the delay! Yes I'd be happy to accept a PR for this. I think matching the Linux server implementation is a good idea.

[maxwai]

Thanks, will work on it

[Sudneo]

@maxwai, I am slightly late to the party, but I discussed in another issue the same topic.

I think this might not be necessary, as you can already override the UID/GID for the distroless image using the native directive for users (-u for docker run, user: for compose or securityContext.runAsUser for Kubernetes). I showed a small test in the linked issue which should solve the problem presented in the OP.

[maxwai]

@maxwai, I am slightly late to the party, but I discussed in another issue the same topic.

I think this might not be necessary, as you can already override the UID/GID for the distroless image using the native directive for users (-u for docker run, user: for compose or securityContext.runAsUser for Kubernetes). I showed a small test in the linked issue which should solve the problem presented in the OP.

While it is true that you can set the running user with these options, you do need to install extra packages and kernel options for it to work as described in the doku. While this is not a Problem on most systems, there are systems (especially Server/NAS OS) where this is not possible.

[Sudneo]

I don't think so, what you referred to is the use of user namespaces in docker (which are not used by default). That doesn't help in this particular problem because it's just a way to map UIDs inside containers with UIDs in the host, with a static mapping (so you still have a fixed user for all the rootless images using 65532).

I am talking about this:

docker run --help | grep user 
  -u, --user string                      Username or UID (format: <name|uid>[:<group|gid>])

I personally do not run docker rootless in my machine, which is where I made the tests.

[maxwai]

Ok, after testing on different systems it's true that this works and doesn't need any additional setup. As this works I will close the issue. If there is still the need to implement the feature I discussed originally, feel free to reopen the issue.