Letting the container run with non-root privilegues creates ? directory

[manuel-wagesreither]

Hi miy4,

thanks for creating this project, we're using it to create deployment diagrams of our CI pipeline.

We noticed when letting the container run with normal privilegues, that is, like so

$ docker run -v ${PWD}:/work -w /work --user $(id -u):$(id -g) --rm [PLANTUML OPTIONS and ARGUMENTS]

it creates an empty ? directory next to the PNG.

Just wanted to make you aware of this, thought you might be interested in hearing about this.

Best regards,
Manuel

[miy4]

Hi manuel, thanks for the report!

I was able to reproduce in my environment. With --user option, you've passed the UID and GID to the Docker container, but Alpine Linux on the container side doesn't know these IDs, so the Java runtime looks confused.
The ? directory contains a file named fcinfo.*.properties which is dumped by the Java runtime.

$ ls -AR \?
'?':
.java

'?/.java':
fonts

'?/.java/fonts':
1.8.0_282

'?/.java/fonts/1.8.0_282':
fcinfo-1-bdf28f30a749-Linux-5.10.102.1-microsoft-standard-WSL2-en.properties

[miy4]

I noticed that without the --user, the owner of the PNG files generated by PlantUML is root. I guess this is why you use --user. (I noticed just now. It's a shame)

[manuel-wagesreither]

I noticed that without the --user, the owner of the PNG files generated by PlantUML is root. I guess this is why you use --user

Exactly. In the Debian container images I build, I usually don't use --user. Instead, I provide the UID and GID as environment variable and set a custom entrypoint.sh to create an user with the right UID/GID at container runtime. The very last thing entprypoint.sh does is to drop the root privilegues using gosu and switch into the just created user.

https://gitlab.com/manuel_wagesreither/bora-proj/-/blob/master/docker/entrypoint.sh#L9

[manuel-wagesreither]

I forked your repo and tried to add the solution discussed above. Unfortunately building the docker image fails with gosu not being available. Indeed, it seems to be available in testing only.

[miy4]

I am now preparing to address this issue, so this is very helpful. Thank you :)

Unfortunately building the docker image fails with gosu not being available. Indeed, it seems to be available in testing only.

su-exec does the same thing and is available in the main repos. It looks nice.

[miy4]

I made a pull-req. Any comments are appreciated :)

You can explicitly pass UID and GID using environment variables.
And, I added an implicit approach. If you don't use env vars, PlantUML generates the files to have the same UID and GID as the owner of the working directory given by -w, --workdir.

[miy4]

If you want to discuss this further, feel free to reopen it. Thanks for your contribution!