search

campsych / concerto-platform

Concerto Platform - Open-Source Online Adaptive Testing Platform
https://concertoplatform.com/
Apache License 2.0
153 stars 88 forks source link

Run docker container as a non-root user #352

Open andrej98 opened 1 year ago

andrej98 commented 1 year ago

Hello, Some kubernetes cluster providers do not allow to run the container as a root user because of security reasons. So you need to specify spec.template.spec.securityContext.runAsUser: <USERID> in your deployment resource.

However, design of Concerto docker image does not allow this, because in the CMD section there are many commands that require root user.

To allow this, the docker image should be built in a way that all the commands that require root user are executed in the build of the docker image and commands in the CMD can be executed with another user.

Concerto Platform version

5.0.27 and master

Expected behavior

Application normally deploys on Kubernetes cluster with spec.template.spec.securityContext.runAsUser: <USERID> specified in the deployment resource.

Actual behavior

Pods do not start, because commands in the CMD section fail. Log: /bin/sh: 1: cannot create /root/env.sh: Permission denied

Steps to reproduce the issue

Option 1. Put spec.template.spec.securityContext.runAsUser: <USERID> in the kubernetes deployment resource. Option 2. Put USER <USERID> in the Dockerfile before the CMD section.