Not possible anymore to run as non-root about docker-geoserver HOT 12 OPEN

@MathiasVDA What is the issue, running as root you will need to execute

-e RUN_AS_ROOT=TRUE

But by default the container runs as a none-root. If you still need the PR to be restricted you can reopen it and make the adjustments and we can review it

from docker-geoserver.

If you still need the PR
The PR is not relevant anymore since too many changes have been made requiring more and more rights.

But by default the container runs as a none-root.
The container doesn't run as non root by default. When you start a vanilla image docker run kartoza/geoserver, log into the container and execute the whoami command, you'll see you are running as root:

running as any other user docker run -u 12345:0 kartoza/geoserver will result in errors (that will prevent running the image on openshift):

groupadd: Permission denied.
groupadd: cannot lock /etc/group; try again later.

The above errors can be solved by modifying the docker command in this way:
docker run -it -e GROUP_NAME=0 -e GEOSERVER_GID=0 -e USER=root -u 12345:0 kartoza/geoserver

But that will then result in other issues:

mkdir: cannot create directory ‘/opt/geoserver’: Permission denied
mkdir: cannot create directory ‘/etc/certs’: Permission denied
mkdir: cannot create directory ‘/opt/footprints_dir’: Permission denied
mkdir: cannot create directory ‘/opt/fonts’: Permission denied
mkdir: cannot create directory ‘/opt/geoserver’: Permission denied
mkdir: cannot create directory ‘/settings’: Permission denied

If you want to be able to really run as non-root, you'll need to modify the Dockerfile so that it executes all the commands that would otherwise be done during container initiation.

Note: you might be running the geoserver deamon as non-root, but that doesn't mean that the container initiation is also done in non-root.

from docker-geoserver.

If you still need the PR
The PR is not relevant anymore since too many changes have been made requiring more and more rights.

But by default the container runs as a none-root.
The container doesn't run as non root by default. When you start a vanilla image docker run kartoza/geoserver, log into the container and execute the whoami command, you'll see you are running as root:

running as any other user docker run -u 12345:0 kartoza/geoserver will result in errors (that will prevent running the image on openshift):

groupadd: Permission denied.
groupadd: cannot lock /etc/group; try again later.

The above errors can be solved by modifying the docker command in this way: docker run -it -e GROUP_NAME=0 -e GEOSERVER_GID=0 -e USER=root -u 12345:0 kartoza/geoserver

Why specify user as root, this will cause issues. The point of running as non-root is to allow you to specify another user which is not root. So during container start 2 things are happening

1. Run setup files as root
2. Chown files and folder to the user specified by env variables

But that will then result in other issues:

mkdir: cannot create directory ‘/opt/geoserver’: Permission denied
mkdir: cannot create directory ‘/etc/certs’: Permission denied
mkdir: cannot create directory ‘/opt/footprints_dir’: Permission denied
mkdir: cannot create directory ‘/opt/fonts’: Permission denied
mkdir: cannot create directory ‘/opt/geoserver’: Permission denied
mkdir: cannot create directory ‘/settings’: Permission denied

If you want to be able to really run as non-root, you'll need to modify the Dockerfile so that it executes all the commands that would otherwise be done during container initiation.

I am against this because it hardcodes the users etc and will force everyone to chown their folders to be owned by that specific user before running. The current system works in a better way as it allows users to pass userid and groupid and this are used in the initi process. If you have any other suggestions.

Note: you might be running the geoserver deamon as non-root, but that doesn't mean that the container initiation is also done in non-root.

from docker-geoserver.

Openshift will run containers with a random user (which can be simulated with the -u flag in docker run). There is no possibility to define the user as an environmental variable in the docker run command.

Openshift will also not allow to run the setup files as root.

I am against this because it hardcodes the users
But now you force users to use root to start the container

Sorry I don't want to interfere in what is really a great opensource project. It was my purpose to try to improve this project but I now realise that not everyone might see my suggestion as an improvement. Which is absolutely fine. I will close this issue and try to find another method to run geoserver on our openshift cluster.

from docker-geoserver.

@MathiasVDA We are not against your suggestions but we need to make sure that when you incorporate them they still also work for a standard installs like vanilla Ubuntu, popOS etc.

I think in your previous PR that was closed you could resurrect it but have an if condition in entrypoint that could test the architecture i.e https://github.com/kartoza/docker-geoserver/blob/develop/scripts/setup.sh#L89

We have no much experience with open shift. So rather reopen the old PR, make improvements and we can take it from there in the code review. If you remember the previous PR was closed on the assumption that it was now working.

Another alternative would be to figure out how we could publish the images mainly geared for openshift. I am sure there are actions to do this

from docker-geoserver.