Closed yilmazbahadir closed 3 years ago
All processes in the containers is run under root. This does not mean it needs root permission outside of the container. May I see your docker-compose file?
Sure, I meant running the container with a non-root user, not outside of the container. Please see the relevant part of the docker-compose file below.
version: '2.4'
services:
...
https-proxy:
container_name: https-proxy
user: '1000:1000'
image: 'steveltn/https-portal:1'
stop_signal: SIGINT
working_dir: /my-workdir
ports:
- '80:80'
- '3001:443'
environment:
DOMAINS: 'my-node.example.com -> http://other-container:3000'
WEBSOCKET: 'true'
STAGE: production
SERVER_NAMES_HASH_BUCKET_SIZE: 128
restart: 'on-failure:2'
volumes:
- '../https-proxy:/my-workdir:rw'
...
I think the problem is with your volume mounting.
The following line doesn't make sense to me:
- '../https-proxy:/my-workdir:rw'
You take your local folder ../https-proxy
, which is on your host machine, and mount it to /my-workdir
? /my-workdir
is not a path we use in HTTPS-PORTAL. I guess you modified it before posting it? If so, you modified the path INSIDE the container. I'd like to see the original compose you used.
Anyway, remove your user
, working_dir
, and volumes
. Everything should be fine.
Thanks for the replies @SteveLTN. Since I thought it was irrelevant to the question, I modified it before posting. My question was targeting the user
line in the compose file. You can think that the below is the version I used prior to posting the question here. So when I run it as it is (with the user line commented - using root user) the files produced at ../gateways/https-proxy
path are owned by the root
user which I don't like, I'd like to have it owned by the current user, if I uncomment the #user: '1000:1000'
line then I got the s6-chown: fatal: unable to chown
errors.
Regarding your suggestion removing the user
, that was my original question indeed, is it possible to specify a non-root user(less privileged)?
...
https-proxy:
container_name: https-proxy
#user: '1000:1000'
image: 'steveltn/https-portal:1.19'
stop_signal: SIGINT
ports:
- '80:80'
- '3001:443'
environment:
DOMAINS: 'symbol-node-2.rockbear.io -> http://rest-gateway:3000'
WEBSOCKET: 'true'
STAGE: production
SERVER_NAMES_HASH_BUCKET_SIZE: 128
restart: 'on-failure:2'
volumes:
- '../gateways/https-proxy:/var/lib/https-portal:rw'
depends_on:
- rest-gateway
...
Sorry for the late reply!
I searched it around and found no solution to it. What we know
As far as I know all processes inside Docker generally needs root privilege. According to my research, there is no way to overcome (2) either.
Closing for now. Feel free to reopen!
Hi, when I try to run
https-portal
in a docker-compose with a non-root user, I get the following error:I think it's related to the S6-Overlay initialization script which requires a
root
user, any ideas on how to overcome this would be much appreciated.Thanks, Baha