Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #2680 - Run processes in Docker as non-root user (alternative) #3159

Merged
merged 1 commit into from May 20, 2017

Conversation

@Wonderfall
Copy link
Contributor

commented May 20, 2017

Here's an alternative to #3152.
First, #3152 won't work because it's not using correctly busybox adduser (--disabled-login doesn't exist, for example). And another problem is that with #3152, we'll always create a user with the same IDs (1000).

This PR was made with flexibility in mind : UID and GID should be easily set if needed (this can be done using environment variables, defaults are 991). It's also better not to create the user during the build process.

Suggestion : do you want to update docker-compose.yml or .env.production to show how to configure these environment variables? This is not necessary, but I think it's better for visibility.

That being said, I couldn't make it more "transparent" than #3152 : this means actual administrators coming from a previous release will have to chown UID:GID /path/to/public/system. Otherwise, even with optimisations, this will take too much (and useless) time before the process is run. No problem for new installations though, but this PR will require a release note.

@Gargron Gargron merged commit d972845 into tootsuite:master May 20, 2017
1 of 2 checks passed
1 of 2 checks passed
continuous-integration/travis-ci/pr The Travis CI build failed
Details
codeclimate no new or fixed issues
Details
gol-cha added a commit to gol-cha/mastodon that referenced this pull request May 29, 2017
@@ -0,0 +1,4 @@
#!/bin/sh
addgroup -g ${GID} mastodon && adduser -h /mastodon -s /bin/sh -D -G mastodon -u ${UID} mastodon
find /mastodon -path /mastodon/public/system -prune -o -not -user mastodon -not -group mastodon -print0 | xargs -0 chown -f mastodon:mastodon

This comment has been minimized.

Copy link
@maur1th

maur1th Jun 1, 2017

This might have a huge performance impact and is pretty much in contradiction with Docker's philosophy of "start fast". We can already see the effects: #3194

Seems like a bad tradeoff only to be able to set UID/GID.

If someone really wants to use a specific UID/GID, maybe use build args with defaults instead. So they can rebuild the image with whatever UID/GID they want without hampering the container boot time.

This comment has been minimized.

Copy link
@Gargron

Gargron Dec 7, 2017

Member

@Wonderfall I just had this idea: How about checking permissions on one file, and only running the update if they are wrong? There's like 0 chance that permissions will be mixed, so if one file's good, the others are too. This will make startup as fast as before in most cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.