Open Rezorl opened 3 months ago
Hi @Rezorl Yes sure. By default the image does not run as root but with a "tomcat" user with UID 1000 and GID 1000. That is configurable in the Docker file https://github.com/geosolutions-it/docker-geoserver/blob/master/Dockerfile#L65-L67 or by specifying a build argument at build time to override the defaults
Hi @randomorder
Thanks for the answer!
I am trying to run geoserver version geosolutionsit/geoserver:2.24.4 on OKD. I get an error: From container logs: From file /usr/local/tomcat/logs/localhost.2024-06-21.log:
The user who runs the container:
Access on files/folders:
Why am I getting a permission denied error? What do I need to do to solve the problem?
Basically this is a situation like this: docker run --user $UID:$GID ... but we don't know UID and GID in advance. And those are dynamically set to different values in different namespaces under OKD.
Hi @Rezorl. You get the error because the user can't write in the data directory.
If I understand correctly your UID is random. I'm not sure if it also changes every time the Pod is restarted. If the UID is somewhat "static" you might be able to leverage the fsGroup setting.
If fsGroup doesn't work for your case, you can chown
the data dir contents using an initContainer, so before GeoServer starts.
It is somewhat static. Does not change with every pod restart. Just unknown during buildtime.
pt., 12 lip 2024, 18:27 użytkownik Francesco Camuffo < @.***> napisał:
Hi @Rezorl https://github.com/Rezorl. You get the error because the user can't write in the data directory.
If I understand correctly your UID is random. I'm not sure if it also changes every time the Pod is restarted. If the UID is somewhat "static" you might be able to leverage the fsGroup https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods setting.
If fsGroup doesn't work for your case, you can chown the data dir contents using an initContainer, so before GeoServer starts.
— Reply to this email directly, view it on GitHub https://github.com/geosolutions-it/docker-geoserver/issues/148#issuecomment-2225924952, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE7FDCPEW24FHTUQCDTQFA3ZL77WXAVCNFSM6AAAAABJTXVLECVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRVHEZDIOJVGI . You are receiving this because you commented.Message ID: @.***>
Is it possible to build a geoserver image so that it works for a non-root user? I don't know the user's ID and group at the image building level, only when the container is launched. The image will run on OKD Kubernetes. There is a custom_build.sh file for building your own geoserver image. Is it possible to use this image for this problem?