Comments (12)
@MathiasVDA What is the issue, running as root you will need to execute
-e RUN_AS_ROOT=TRUE
But by default the container runs as a none-root. If you still need the PR to be restricted you can reopen it and make the adjustments and we can review it
from docker-geoserver.
If you still need the PR
The PR is not relevant anymore since too many changes have been made requiring more and more rights.
But by default the container runs as a none-root.
The container doesn't run as non root by default. When you start a vanilla imagedocker run kartoza/geoserver
, log into the container and execute thewhoami
command, you'll see you are running as root:
running as any other user docker run -u 12345:0 kartoza/geoserver
will result in errors (that will prevent running the image on openshift):
groupadd: Permission denied.
groupadd: cannot lock /etc/group; try again later.
The above errors can be solved by modifying the docker command in this way:
docker run -it -e GROUP_NAME=0 -e GEOSERVER_GID=0 -e USER=root -u 12345:0 kartoza/geoserver
But that will then result in other issues:
mkdir: cannot create directory ‘/opt/geoserver’: Permission denied
mkdir: cannot create directory ‘/etc/certs’: Permission denied
mkdir: cannot create directory ‘/opt/footprints_dir’: Permission denied
mkdir: cannot create directory ‘/opt/fonts’: Permission denied
mkdir: cannot create directory ‘/opt/geoserver’: Permission denied
mkdir: cannot create directory ‘/settings’: Permission denied
If you want to be able to really run as non-root, you'll need to modify the Dockerfile so that it executes all the commands that would otherwise be done during container initiation.
Note: you might be running the geoserver deamon as non-root, but that doesn't mean that the container initiation is also done in non-root.
from docker-geoserver.
If you still need the PR
The PR is not relevant anymore since too many changes have been made requiring more and more rights.But by default the container runs as a none-root.
The container doesn't run as non root by default. When you start a vanilla imagedocker run kartoza/geoserver
, log into the container and execute thewhoami
command, you'll see you are running as root:
running as any other user
docker run -u 12345:0 kartoza/geoserver
will result in errors (that will prevent running the image on openshift):groupadd: Permission denied. groupadd: cannot lock /etc/group; try again later.
The above errors can be solved by modifying the docker command in this way:
docker run -it -e GROUP_NAME=0 -e GEOSERVER_GID=0 -e USER=root -u 12345:0 kartoza/geoserver
Why specify user as root, this will cause issues. The point of running as non-root is to allow you to specify another user which is not root. So during container start 2 things are happening
- Run setup files as root
- Chown files and folder to the user specified by env variables
But that will then result in other issues:
mkdir: cannot create directory ‘/opt/geoserver’: Permission denied mkdir: cannot create directory ‘/etc/certs’: Permission denied mkdir: cannot create directory ‘/opt/footprints_dir’: Permission denied mkdir: cannot create directory ‘/opt/fonts’: Permission denied mkdir: cannot create directory ‘/opt/geoserver’: Permission denied mkdir: cannot create directory ‘/settings’: Permission denied
If you want to be able to really run as non-root, you'll need to modify the Dockerfile so that it executes all the commands that would otherwise be done during container initiation.
I am against this because it hardcodes the users etc and will force everyone to chown their folders to be owned by that specific user before running. The current system works in a better way as it allows users to pass userid and groupid and this are used in the initi process. If you have any other suggestions.
Note: you might be running the geoserver deamon as non-root, but that doesn't mean that the container initiation is also done in non-root.
from docker-geoserver.
Openshift will run containers with a random user (which can be simulated with the -u flag in docker run). There is no possibility to define the user as an environmental variable in the docker run command.
Openshift will also not allow to run the setup files as root.
I am against this because it hardcodes the users
But now you force users to use root to start the container
Sorry I don't want to interfere in what is really a great opensource project. It was my purpose to try to improve this project but I now realise that not everyone might see my suggestion as an improvement. Which is absolutely fine. I will close this issue and try to find another method to run geoserver on our openshift cluster.
from docker-geoserver.
@MathiasVDA We are not against your suggestions but we need to make sure that when you incorporate them they still also work for a standard installs like vanilla Ubuntu, popOS etc.
I think in your previous PR that was closed you could resurrect it but have an if condition in entrypoint that could test the architecture i.e https://github.com/kartoza/docker-geoserver/blob/develop/scripts/setup.sh#L89
We have no much experience with open shift. So rather reopen the old PR, make improvements and we can take it from there in the code review. If you remember the previous PR was closed on the assumption that it was now working.
Another alternative would be to figure out how we could publish the images mainly geared for openshift. I am sure there are actions to do this
from docker-geoserver.
Related Issues (20)
- Not able to start Geoserver because of Memory leak HOT 34
- Remove the unnecessary directories under webapps HOT 2
- Adding ActiveMQ in the cluster docker file HOT 5
- [Fatal Error] :-1:-1: Premature end of file when recreating geoserver container (version 2.23.0) HOT 9
- Update login scenario test
- crash at start (Permission denied) HOT 7
- jdom2 jar download link is not working HOT 5
- Missing community plugins HOT 2
- In Cluster setup, broker goes into infinite loop of logs HOT 2
- Can't get it to run on Colima HOT 9
- Unable to set FILTER_COMPLIANCE property in Web Feature Server store through REST api HOT 5
- support for 2.24.1 HOT 4
- GeoServer Pod Restart Failure with Thread Local Errors in Kubernetes Environment HOT 1
- roles.xml & roles.xml.orig down to 0 bytes HOT 1
- Geoserver Cluster on AWS ECS not working HOT 9
- Dockerfile STABLE_EXTENSION gdal error ->Plugin URL does not exist:: https://sourceforge.net/projects/geoserver/files/GeoServer/2.24.1/extensions/geoserver-2.24.1-gdal.zip HOT 1
- gdal stable extension support needed. HOT 5
- random start-up crash HOT 10
- XFRAME_OPTIONS does not work as expected. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-geoserver.