Comments (5)
Aren't you discouraging people to run it as root?
Yes, because it's good practice in general.
What is the reason for running the Sinusbot as root? This is the official docker image of it, isn't it?
Running a service inside a docker container as root is not the same as running a service on your "real" server as root. In this case the SinusBot is only running as root inside the docker container. The container is (mostly) isolated from your actual server.
One could argue that even though the container is isolated you should still run the service with as few permissions as possible. That's true but makes things a bit more complicated.
We're using volumes for the scripts and data folder, if we change something then the volumes might not be writable. (haven't looked into this though, not sure but it's not that simple)
If you have a solution then feel free to make a pull request. ^^
If users wants to run the container properly with as few permissions as possible: They have the possibility to do it already.
They can use dockers --userns-remap ...
or --user ...
flags/parameters to set the user. You will however need to change the ownership of the volumes accordingly.
from docker.
Aren't you discouraging people to run it as root?
Yes, because it's good practice in general.
What is the reason for running the Sinusbot as root? This is the official docker image of it, isn't it?
Running a service inside a docker container as root is not the same as running a service on your "real" server as root. In this case the SinusBot is only running as root inside the docker container. The container is (mostly) isolated from your actual server.
One could argue that even though the container is isolated you should still run the service with as few permissions as possible. That's true but makes things a bit more complicated.
We're using volumes for the scripts and data folder, if we change something then the volumes might not be writable. (haven't looked into this though, not sure but it's not that simple)
If you have a solution then feel free to make a pull request. ^^
If users wants to run the container properly with as few permissions as possible: They have the possibility to do it already.
They can use dockers--userns-remap ...
or--user ...
flags/parameters to set the user. You will however need to change the ownership of the volumes accordingly.
As @irgendwr said it's more up to the admin to configure a privilege downgrade e.g remapping the user ids: https://docs.docker.com/engine/security/userns-remap/
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
I don't recommed to change things like this if you have already running containers, you will destroy all volumes with it, because as already said you have to remap the uids.
Dropping the privileges with a "default" user inside the dockerfile is a "work a round" to make it secure by default but this may colides with other user ids on the host. I may use the id 1000 inside the dockerfile and have an existing user on the host with id 1000 and extended privileges. I think you get it, it's may a mess if you have running containers with a user id of a host user.
But we should take a note inside the docs/install instructions about this topic @irgendwr .
from docker.
A majority of docker images run as root in their container, including the official TeamSpeak image.
from docker.
Yes, many docker images run as root, but I don't see a reason here as there is another Sinusbot docker image which doesn't run it as root. And don't get me wrong, I was just curious and it's not that much of a problem. I may have a look at it sometime.
from docker.
Yep, previous versions of the sinusbot would refuse run as root in docker-containers but we decided that in that case it would make sense to add an exception.
I'm leaving this issue open for now and we'll probably look into it sometime.
The only thing that worries me is that users will need to change ownership of the volumes which will probably lead to people complaining that their docker container is no longer working/"has a bug".
Dunno, we'll see.
from docker.
Related Issues (20)
- Problems running as non root HOT 1
- public ip
- Personal Theme problems HOT 1
- Allow to skip copy/overwrite for certain scripts
- Ldap auth support? HOT 1
- SinusBot not starting HOT 1
- @startup setpriv: libcap-ng is too old for "all" caps HOT 7
- CI/CD: automate version deployment HOT 1
- Update Dockerhub Image frequently HOT 1
- Latest build having issues with dl & playback of youtube content HOT 6
- The bot could not connect. This might have several reasons:...
- youtube-dl is very slow HOT 4
- Actual image v1.0.1 HOT 2
- yt-dlp is slow
- Latest image won't start HOT 5
- Error: youtube-dl not found HOT 4
- Bot is not connecting to teamspeak3 server HOT 2
- [Request] arm64 images HOT 4
- Does this image always pull the latest version or is it always 1.0.2?
- sinusbot with Synology Docker Container
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker.