No documentation on how to run Stirling-PDF as non-root in a docker container #332
Comments
TheQuantumPhysicist
changed the title
|
Good points |
|
Trying to consider if i want to do
or have it like
what are your thoughts? |
|
Whichever works for you. I have no preference. The most important thing is to have all processes run as non-root out of the box. |
|
Btw, some people also do it with environment variables. |
|
Environment variables is the only way I know people do it haha |
Much prefer the environment variables myself. Great to see you asking the users what they would like. |
|
Awesome! Thank you! Cheers! |
|
reopenning for now until issues resolved |
|
Hey, just going to leave some notes! Using In a lot of kubernetes clusters, the only viable solution is the second, as there are policies completely blocking running any workload as root. And also this is the "recommended/best practive" way. I'd really prefer the Thanks |
|
Hi folks, first thanks for the efforts in getting this set up so we can run it as non-root users. I've just tried to do it very briefly and I seem to get the following errors in the logs. I have a pretty simple config - a non-root user called export PUID=1002 Invoking it like:
The server starts OK as expected, but I don't see any processes running as the Just wanted to flag those errors relating to the /scripts/init.sh calls in case they are relevant. Thanks |
|
Thanks will resolve this next patch ! |
|
try now ! |
|
@Frooodle : OK, the errors are gone and it's successfully running - but it seems to have started with the wrong UID? I have started with PUID/PGID = 1002, which is a new user I created called I couldn't figure out how it loaded at all at first (I have TLS certs in the same directory), but I see it has also chown'ed the extraConfigs and logs directory away from the It's possible I have done something with in the setting of the environment variables here - if I type 'set | grep -E 'P(G|U)ID'` I get: .. and I've confirmed in my /etc/passwd & /etc/group files that the edit: just saw this PR, where I can see the UID/GID are hardcoded in the Dockerfile to be 1000, which I guess might be the cause? 70bbcf1 |
Those values are just there to be overridden by the user |
|
Woops, sorry, of course - I forgot Docker doesn't just inherit the current environment variables but they need to be specified. Looks like it's working now - I can see the java process running under the correct UID. Thanks for the prompt fix & replies! |
* init * user and pass to just pass lang update * session management fixes and avoid demo user locking * fix for UMASK and extract cleanups * fixes for user #889 and #332 * increase session count for demo site * fix * gcc * formatting * number fixes init * || true test * version bump * Hardening suggestions for Stirling-PDF / numberFxes (#899) Switch order of literals to prevent NullPointerException Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com> --------- Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
|
I'm sorry, is this now solved? I still don't see documentation to run this in docker as non-root. |
I don't see any description anywhere for how to run Stirling-PDF as non-root. Can someone please provide some pointers there? I tried the normal
- user: "1234:1234"in docker-compose and a few combinations of dropping volumes while accepting to lose features, but none of that works.Can you please add something to docs on this? There are security implications to running everything as root, especially in a system where files can be uploaded to a server.
The text was updated successfully, but these errors were encountered: