search

geosolutions-it / docker-geoserver

Docker Image for GeoServer
Other
63 stars 44 forks source link

OKD kubernetes - non-root user #148

Open Rezorl opened 3 months ago

Rezorl commented 3 months ago

Is it possible to build a geoserver image so that it works for a non-root user? I don't know the user's ID and group at the image building level, only when the container is launched. The image will run on OKD Kubernetes. There is a custom_build.sh file for building your own geoserver image. Is it possible to use this image for this problem?

randomorder commented 3 months ago

Hi @Rezorl Yes sure. By default the image does not run as root but with a "tomcat" user with UID 1000 and GID 1000. That is configurable in the Docker file https://github.com/geosolutions-it/docker-geoserver/blob/master/Dockerfile#L65-L67 or by specifying a build argument at build time to override the defaults

Rezorl commented 3 months ago

Hi @randomorder

Thanks for the answer!

I am trying to run geoserver version geosolutionsit/geoserver:2.24.4 on OKD. I get an error: From container logs: image From file /usr/local/tomcat/logs/localhost.2024-06-21.log: image

The user who runs the container: image

Access on files/folders: image

Why am I getting a permission denied error? What do I need to do to solve the problem?

mbartosi commented 3 months ago

Basically this is a situation like this: docker run --user $UID:$GID ... but we don't know UID and GID in advance. And those are dynamically set to different values in different namespaces under OKD.

camuffo commented 2 months ago

Hi @Rezorl. You get the error because the user can't write in the data directory.

If I understand correctly your UID is random. I'm not sure if it also changes every time the Pod is restarted. If the UID is somewhat "static" you might be able to leverage the fsGroup setting.

If fsGroup doesn't work for your case, you can chown the data dir contents using an initContainer, so before GeoServer starts.

mbartosi commented 2 months ago

It is somewhat static. Does not change with every pod restart. Just unknown during buildtime.

pt., 12 lip 2024, 18:27 użytkownik Francesco Camuffo < @.***> napisał:

Hi @Rezorl https://github.com/Rezorl. You get the error because the user can't write in the data directory.

If I understand correctly your UID is random. I'm not sure if it also changes every time the Pod is restarted. If the UID is somewhat "static" you might be able to leverage the fsGroup https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods setting.

If fsGroup doesn't work for your case, you can chown the data dir contents using an initContainer, so before GeoServer starts.

— Reply to this email directly, view it on GitHub https://github.com/geosolutions-it/docker-geoserver/issues/148#issuecomment-2225924952, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE7FDCPEW24FHTUQCDTQFA3ZL77WXAVCNFSM6AAAAABJTXVLECVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRVHEZDIOJVGI . You are receiving this because you commented.Message ID: @.***>