Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Question on docker
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
shimitar
Guru
Guru


Joined: 23 Nov 2003
Posts: 331
Location: Italy, Torino

PostPosted: Mon Dec 18, 2023 10:35 am    Post subject: Question on docker Reply with quote

Hi all!
i am new to docker usage, but i need to install a few services on my server that are only provided as docker images (i am referring to LibrePhotos) or for which there are no clear or simple instructions on how to install on bare metal.

I see that the containers and the processes inside are all running as "root" (or uid 999) which greatly annoys me because all my other servies are properly constrained in specific users with groups where data needs to be shared. This docker thing does not goes down well with me.

Following the docker gentoo wiki i have created an unpriviledged user in group "docker" and i am using it to start the containers, but still everything runs as root.

I am sure i am doing something wrong here, as it's hard to believe docker stuff all needs root access.

Any insights?
_________________
Willy Gardiol
willy@gardiol.org
Back to top
View user's profile Send private message
spica
Guru
Guru


Joined: 04 Jun 2021
Posts: 329

PostPosted: Tue Dec 19, 2023 8:41 am    Post subject: Reply with quote

Explore the original Dockerfile utilized in crafting the image and tailor it to meet your specifications.
Additionally, consider supplying a custom UID/GID for use within the container. Keep in mind that
if the image creators did not prioritize specifying privileges within the container, merely assigning
a new UID may not yield the desired outcome.

A little bit about using the same uid/gid inside a container
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22578

PostPosted: Wed Dec 20, 2023 1:54 am    Post subject: Re: Question on docker Reply with quote

shimitar wrote:
I am sure i am doing something wrong here, as it's hard to believe docker stuff all needs root access.

Any insights?
As I understand it, your mistake here is in assuming that Docker is sane or reasonable. If I recall correctly, docker build will default to building an image that runs the contained processes as root unless directed otherwise in the Dockerfile build recipe. Therefore, you get the bad behavior by default. To get the good behavior, you need the authors of the relevant images to Do The Right Thing in specifying a non-root user to run as, and arranging for all relevant files in the image to be accessible in the intended way by the non-root user so picked. As spica alludes, if you only override the uid/gid of the contained process and make no other changes, there is a good chance you will break things. This override might work for simple images where the image filesystem is read-only and permissions are lax. Otherwise, the contained process may be relying on its root uid to enable it to access the files it wants.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum