Question: Is it possible to run https-portal with a non-root user?

[yilmazbahadir]

Hi, when I try to run https-portal in a docker-compose with a non-root user, I get the following error:

s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/00-welcome: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/30-set-docker-gen-status: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/20-setup: Operation not permitted
...

I think it's related to the S6-Overlay initialization script which requires a rootuser, any ideas on how to overcome this would be much appreciated.

Thanks, Baha

[SteveLTN]

All processes in the containers is run under root. This does not mean it needs root permission outside of the container. May I see your docker-compose file?

[yilmazbahadir]

Sure, I meant running the container with a non-root user, not outside of the container. Please see the relevant part of the docker-compose file below.

version: '2.4'
services:
    ...
    https-proxy:
        container_name: https-proxy
        user: '1000:1000'
        image: 'steveltn/https-portal:1'
        stop_signal: SIGINT
        working_dir: /my-workdir
        ports:
            - '80:80'
            - '3001:443'
        environment:
            DOMAINS: 'my-node.example.com -> http://other-container:3000'
            WEBSOCKET: 'true'
            STAGE: production
            SERVER_NAMES_HASH_BUCKET_SIZE: 128
        restart: 'on-failure:2'
        volumes:
            - '../https-proxy:/my-workdir:rw'    
      ...

[SteveLTN]

I think the problem is with your volume mounting.

The following line doesn't make sense to me: - '../https-proxy:/my-workdir:rw' You take your local folder ../https-proxy, which is on your host machine, and mount it to /my-workdir? /my-workdir is not a path we use in HTTPS-PORTAL. I guess you modified it before posting it? If so, you modified the path INSIDE the container. I'd like to see the original compose you used.

Anyway, remove your user, working_dir, and volumes. Everything should be fine.

[yilmazbahadir]

Thanks for the replies @SteveLTN. Since I thought it was irrelevant to the question, I modified it before posting. My question was targeting the user line in the compose file. You can think that the below is the version I used prior to posting the question here. So when I run it as it is (with the user line commented - using root user) the files produced at ../gateways/https-proxy path are owned by the root user which I don't like, I'd like to have it owned by the current user, if I uncomment the #user: '1000:1000' line then I got the s6-chown: fatal: unable to chown errors. Regarding your suggestion removing the user, that was my original question indeed, is it possible to specify a non-root user(less privileged)?

...
    https-proxy:
        container_name: https-proxy
        #user: '1000:1000'
        image: 'steveltn/https-portal:1.19'
        stop_signal: SIGINT
        ports:
            - '80:80'
            - '3001:443'
        environment:
            DOMAINS: 'symbol-node-2.rockbear.io -> http://rest-gateway:3000'
            WEBSOCKET: 'true'
            STAGE: production
            SERVER_NAMES_HASH_BUCKET_SIZE: 128
        restart: 'on-failure:2'
        volumes:
            - '../gateways/https-proxy:/var/lib/https-portal:rw'
        depends_on:
            - rest-gateway
...

[SteveLTN]

Sorry for the late reply!

I searched it around and found no solution to it. What we know

1. The S6 overlay must use root account INSIDE the container
2. Docker uses the same user ID inside and outside the container

As far as I know all processes inside Docker generally needs root privilege. According to my research, there is no way to overcome (2) either.

[SteveLTN]

Closing for now. Feel free to reopen!