Comments (4)
jpmens
commented on May 24, 2024
Thanks for your suggestion. Why do we need a dedicated user/group on the host system? I don't think this is required.
We'll gladly entertain a pull-request which implements this.
from docker-recorder.
marcopaganini
commented on May 24, 2024
The reason is that it appears volumes can only be mounted as root. Without
volumes, the only other solution is to map something in the host
filesystem. For that, you'd need a host user/group.
…On Mon, Mar 9, 2020 at 9:56 AM JP Mens ***@***.***> wrote:
Thanks for your suggestion. Why do we need a dedicated user/group on the
host system? I don't think this is required.
We'll gladly entertain a pull-request which implements this.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#32?email_source=notifications&email_token=ABYUYBGF4KLOYX7W6IQAYMDRGUNTLA5CNFSM4K7CCS52YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOICUBQ#issuecomment-596650502>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABYUYBFW6JWSJXNZLHTGXGLRGUNTLANCNFSM4K7CCS5Q>
.
from docker-recorder.
jpmens
commented on May 24, 2024
It is clearly visible that I'm not a Docker specialist, but I cannot imagine requring a host user/group.
In fact this page suggests it's not required, at least that's how I understand it:
FROM <base image>
RUN groupadd -g 999 appuser && \
useradd -r -u 999 -g appuser appuser
USER appuser
From here onwards, our Recorder would run as user appuser, and I think that sounds like what you are asking for.
Are you able to test this, to make sure permissions on the data volume don't need changing?
That same link, btw, explains it is possible to voluntarily launch the container as non-root.
from docker-recorder.
marcopaganini
commented on May 24, 2024
Oh, I'm far from a docker specialist myself. :)
I don't believe your suggestion would work because it seems docker always mounts volumes as root.
See this example:
$ cat Dockerfile
FROM debian
RUN groupadd -g 999 appuser && \
useradd -r -u 999 -g appuser appuser
USER appuser
$ docker build -t voltest:latest .
Sending build context to Docker daemon 2.048kB
Step 1/3 : FROM debian
---> 971452c94376
Step 2/3 : RUN groupadd -g 999 appuser && useradd -r -u 999 -g appuser appuser
---> Using cache
---> c0991713bdaf
Step 3/3 : USER appuser
---> Using cache
---> d325f2b5d689
Successfully built d325f2b5d689
Successfully tagged voltest:latest
$ docker volume create foobar
foobar
$ docker run -it --rm -v foobar:/foobar voltest
appuser@e1edf851f736:/$ ls -ltrd /foobar
drwxr-xr-x 2 root root 4096 Mar 12 04:03 /foobar
appuser@e1edf851f736:/$ id
uid=999(appuser) gid=999(appuser) groups=999(appuser)As we can see, even when we specify a user, docker seems to always mount the volume as root (which is weird, but docker is weird.) The instructions I originally wrote work around this by mounting a directory on the host machine (which is not as nice as a clean volume), but require no modifications to Dockerfile.
If you're open to the idea of patches to the Dockerfile, we can create the appuser command above (with an ID in an env var, defaulting to 999) and upon execution chmod the mounted directory to that user, downgrade privileges and then run ot-recorder with that user.
Would that be an acceptable solution to you?
from docker-recorder.
Related Issues (20)
- Recorder and mqtt client disconnected and not authorised HOT 13
- Environment variable OTR_TOPICS has no effect HOT 3
- http endpoint dead HOT 5
- Trouble getting opencage to work. HOT 8
- Latest pull request is forcing TLS. HOT 4
- Frontend stopped connecting to recorder (crosspost from owntracks/frontend) HOT 3
- Does not work from scratch HOT 7
- Error while deploying with rootless podman HOT 1
- Installed as per instructions - not accessible on port 8083 HOT 7
- Mounts are ignored in docker compose HOT 4
- Docker image expects MQTT topic(s) in OTR_TOPIC env var, but recorder docs describe OTR_TOPICS (plural) HOT 2
- Best practice: How to archive data older than 30 days? HOT 2
- Path /store and /config not working with cifs mount on docker host HOT 5
- Lua script causing container to not boot HOT 1
- Alternative registry HOT 3
- Docker-compose website doesn't get populated with data HOT 7
- docker linux/arm64 build HOT 11
- Cannot lmdb-open MainDB HOT 2
- ot-recorder silently fails on startup HOT 2
- Error: Address not available HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-recorder.