Add support docker user

OpenDroneMap / ODM

A command line toolkit to generate maps, point clouds, 3D models and DEMs from drone, balloon or kite images. 📷

https://opendronemap.org

GNU Affero General Public License v3.0

4.91k stars 1.11k forks source link

Add support docker user #1618

Closed HeDo88TH closed 1 year ago

HeDo88TH commented 1 year ago

Closes #1413

pierotofy commented 1 year ago

portable.Dockerfile hasn't been updated.
The current changes will double the image size ( 2.71GB from ~1.63GB)
This will cause "permission denied" errors while mounting volumes belonging to any directory that doesn't belong to uid 1000 (on macOS) and any other Linux user that is not the first/default user (plus any distro that doesn't start uids with 1000).

If we didn't need to mount volumes, this would be fine, but we do.

Honestly I'm not even sure there's a good solution here, aside from creating a separate image that allows rootless execution.

HeDo88TH commented 1 year ago

portable.Dockerfile hasn't been updated.

The current changes will double the image size ( 2.71GB from ~1.63GB)

This will cause "permission denied" errors while mounting volumes belonging to any directory that doesn't belong to uid 1000 (on macOS) and any other Linux user that is not the first/default user (plus any distro that doesn't start uids with 1000).

If we didn't need to mount volumes, this would be fine, but we do.

Honestly I'm not even sure there's a good solution here, aside from creating a separate image that allows rootless execution.

The increase in size is inexplicable. We can remove the --uid 1000 and try it, I will do some more testing.

For example, Bitnami uses ad-hoc rootless docker images: https://docs.bitnami.com/tutorials/work-with-non-root-containers https://docs.bitnami.com/tutorials/bitnami-best-practices-hardening-containers/#root-and-non-root-containers

HeDo88TH commented 1 year ago

I got an explanation for the increase in size. The ownership of the files and the subsequent USER statement should be put before the compilation. I'm working on some changes to address it.

pierotofy commented 1 year ago

You just need to execute everything in the same RUN statement.

Every RUN statement adds a new layer in docker; and by changing every file with chown the RUN statements are creating new layers with twice the size.

But this is not even the most pressing point; what about:

This will cause "permission denied" errors while mounting volumes belonging to any directory that doesn't belong to uid 1000 (on macOS) and any other Linux user that is not the first/default user (plus any distro that doesn't start uids with 1000).

If this cannot be figured out, it's unnecessary to work on the other points.

I personally don't think there's a good solution.

pierotofy commented 1 year ago

Closing as the concept of root-less execution for a container that needs read access to a mounted volume, with files created by different users is a no-go.

One can still create their own docker image by following the modifications made in this PR.