Closed swagner closed 2 years ago
Indeed, the argument name is IMAGEUSERNAME in the parent Dockerfile : https://github.com/Alfresco/acs-packaging/blob/6.2.0.7/docker-alfresco/Dockerfile but the argument is not inherited. So the current "USER ${USERNAME}" do nothing and Alfresco run as root.
I propose the following fix : https://github.com/asauvez/alfresco-sdk/commit/53c08a62081db1b9e403b49b1561bdd98c809192
As soon as Alfresco stops running as root, it is not able to write alfresco.log in /usr/local/tomcat/. Since we are in a development environment, I do not see the point of storing logs. They are not visible for the host and we mostly use the console logs with "./run.sh tail". So I remove the logs to alfresco.log in dev-log4j.properties. This only affect the development environment.
I would just like to add that we also ran into this issue and we use the SDK to create production ready containers, so this oops is a security concern (at least for us.)
This has been fixed in SDK 4.3, which will be out in the next few days.
7.x will switch back to the unprivileged user alfresco
, while 6.x (that didn't have this separation in the base image yet) will keep running as root
.
In either case, the log file destination has been fixed too.
Build arguments are not persisted in images, so they will not be available in builds FROM a parent image.
(besides the fact that in the alfresco dockerfile its called IMAGEUSERNAME)