rootless containers about dokku HOT 10 CLOSED

This is view from inside the container:

root           1  0.0  0.0 1228052 4240 ?        Ssl  08:19   0:00 /start web
herokui+      14  0.0  0.9 1171488 73588 ?       Sl   08:19   0:00 npm start
herokui+     165  0.0  0.0   2892   960 ?        S    08:20   0:00 sh -c node index.js
herokui+     166  0.0  0.6 992052 50476 ?        Sl   08:20   0:00 node index.js
root         199  0.0  0.0   4628  3908 pts/0    Ss   08:31   0:00 bash
root         212  0.0  0.0   7064  1604 pts/0    R+   08:31   0:00 ps aux

from dokku.

Regarding herokuish, its probably possible to change things to be as you said without any drawbacks. Dokku doesn't necessarily require root permissions at runtime - build processes within the container might, but thats a separate conversation.

If you have a specific set of changes you'd like to see done, the changes are probably split between the herokuish repo - to change the default CMD on the herokuish images for instances - and here in Dokku. Could you outline specific changes you'd want to see, and are you interested in contributing those changes?

from dokku.

The goal is to have rootless Dokku/Herokuish containers compatible with PSS (at Kubernetes). It's beneficial for Docker containers, too.
I am reviewing what exactly Herokuish images require to change. I'm happy to participate/contribute.

from dokku.

So I've checked the herokuish what exactly does it - do you want me to keep this posted here or as a separate bug request under herokuish repo?
The app containers built by the herokuish buildpacks should be immutable. Currently, they are not.
I have a set of changes to propose. Some of them are currently in my copy of the repo :)

from dokku.

Mind if we take this conversation to slack or discord? Might be better to coordinate there before committing to any larger changes :)

from dokku.

Mind if we take this conversation to slack or discord? Might be better to coordinate there before committing to any larger changes :)

Yeah, the link to Slack gives me CF error:

Error 1014 Ray ID: 85b171c738c241de • 2024-02-25 16:49:56 UTC
CNAME Cross-User Banned

from dokku.

Looks like the provider we use for the inviter broke recently. I'll fix our invite link this week if they can't, but mind trying discord for now?

from dokku.

I also sent you an invite manually to the email on your github account to the slack.

from dokku.

I also sent you an invite manually to the email on your github account to the slack.

Cool, thanks. Joined.

from dokku.

Part of this is implemented here, but I think the big ask here by @taraszka is to ensure we can enable Kubernetes PSP on a cluster. Most of the work should happen downstream in herokuish here so I'm going to close this for now.

That said, if there are specific things we can/should enable, please file a ticket for those. "Rootless containers" is pretty big and vague, and I'd rather avoid this kind of ticket since they tend to run for a long time without any clear path to resolution.

from dokku.