Open hakong opened 2 years ago
hakong
commented
2 years ago Relates a bit to https://github.com/FredHutch/motuz/issues/405 as well. Podman uses the podman-compose command as a drop-in replacement for docker-compose or docker compose.
dtenenba
commented
2 years ago I have not heard of Podman before today but I imagine the answer is no. The celery container in Motuz needs to run as root and then "become" other users by using the su command, so users have appropriate permissions on the filesystems mounted into the container.
hakong
commented
2 years ago Alright, cool. Podman is supposedly more secure by design so I guess podman support would be cool. It's also the default container software in the Red Hat os-family. But no big deal if this isn't on the roadmap.
hakong
commented
2 years ago I'll give it a stab later this week, maybe it works fine. If Motuz doesn't need anything run as root then it should work without much hassle.
dtenenba
commented
2 years ago Motuz as it stands currently definitely needs to run as root - at least the celery container does. It may be possible to refactor it to use a setuid binary or other workarounds but I do not expect it to work out of the box with podman and without root.
hakong
commented
2 years ago What does the celery container do that requires root access?
dtenenba
commented
2 years ago It runs as root because it kicks off copy jobs which run as logged in users. So if I log in as jdoe, the celery container will run a command as me by using the su command. This can only be done with root permission.
hakong
commented
2 years ago Ok, makes sense. That's less fun to run as non-root :)
Does Motuz have support for Podman (the rootless version of docker, from Red Hat)?